fix(http): Add response size limits to Http.getRaw to prevent OOM #338
Description
Problem
Http.getRaw reads entire response body without size limits. A malicious or compromised API could send gigabytes of data, causing out-of-memory crashes (DoS vulnerability).
Location
core/http/Http/Client.hs:264-284
Impact
- Availability: Server crash from OOM
- Security: Denial of Service vector
- Cost: Memory exhaustion in cloud environments
Proposed Solution
Add configurable response size limits:
withMaxResponseSize :: Int -> Request -> Request
withMaxResponseSize maxBytes options =
options { maxResponseBytes = Just maxBytes }
-- Usage example
Http.getRaw
|> Http.withMaxResponseSize (10 * 1024 * 1024) -- 10MB limit
|> Http.withUrl "https://api.example.com/data"Default behavior:
- API responses: 10MB limit
- File downloads: Explicit unlimited or streaming
Acceptance Criteria
- Default 10MB limit on response size
- Configurable per-request override
- Clear error when limit exceeded (not silent truncation)
- Documentation updated with examples
- Streaming alternative for large responses
Implementation Hints
Check if the underlying HTTP library supports lazy reading with limits. If not, you may need to read in chunks and abort when the limit is exceeded.
Related
- PR feat(oura): Oura Ring API integration with OAuth2 token refresh #332
- CWE-400: Uncontrolled Resource Consumption
💬 Questions? Drop by Discord - we're happy to help!