From e97dd245a273d01edf0cf99faad7b85f9baebf01 Mon Sep 17 00:00:00 2001
From: Michael Woodward <michael.woodward@paddle.com>
Date: Wed, 18 Dec 2024 23:08:05 +0000
Subject: [PATCH] fix: Webhook verifier ubounded IO read

---
 webhook_verifier.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/webhook_verifier.go b/webhook_verifier.go
index dee08a2..9df8ef9 100644
--- a/webhook_verifier.go
+++ b/webhook_verifier.go
@@ -17,6 +17,9 @@ var (
 
 	// ErrInvalidSignatureFormat is returned when the signature format is invalid.
 	ErrInvalidSignatureFormat = errors.New("invalid signature format")
+
+	// ErrRequestExceedsExpectation is returned when the request exceeds the limit
+	ErrRequestExceedsExpectation = errors.New("request body size exceeds limit")
 )
 
 // signatureRegexp matches the Paddle-Signature header format, e.g.:
@@ -51,11 +54,18 @@ func (wv *WebhookVerifier) Verify(req *http.Request) (bool, error) {
 	ts := matches[0][1]
 	h1 := matches[0][2]
 
-	body, err := io.ReadAll(req.Body)
+	const maxBodySize = 1 << 20 // 1 MB
+	limitedReader := io.LimitReader(req.Body, maxBodySize)
+
+	body, err := io.ReadAll(limitedReader)
 	if err != nil {
 		return false, err
 	}
 
+	if len(body) == maxBodySize {
+		return false, ErrRequestExceedsExpectation
+	}
+
 	req.Body = io.NopCloser(bytes.NewBuffer(body))
 
 	mac := hmac.New(sha256.New, wv.secretKey)