Skip to content

Limit keyserver JSON request bodies#40

Closed
YoungJinJung wants to merge 2 commits into
mainfrom
issue-32-limit-keyserver-body
Closed

Limit keyserver JSON request bodies#40
YoungJinJung wants to merge 2 commits into
mainfrom
issue-32-limit-keyserver-body

Conversation

@YoungJinJung

@YoungJinJung YoungJinJung commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Add a 64 KiB cap for keyserver JSON request bodies.
  • Return 413 for oversized publish and auth requests before reading the body.
  • Cover oversized PUT and auth POST requests with tests.
  • Document the request body limit.

Closes #32.

Validation

  • PYTHONPATH=. python3 -m unittest discover keyserver/tests
  • env -u GOROOT -u GOPATH /opt/homebrew/bin/go test ./...

@YoungJinJung
Introduce keyserver publishing foundation
b7f1aca 
Add the local keyserver service, CLI publish/login/fetch commands, compose smoke wiring, and tests as a reviewable baseline for the security hardening work stacked above it.

Constraint: Security fixes for issues #30-#34 target files that are not yet present on main.
Rejected: Fold all security fixes into one PR | would make review and issue closure harder.
Confidence: medium
Scope-risk: broad
Directive: Review this foundation before merging stacked hardening PRs into main.
Tested: PYTHONPATH=. python3 -m unittest discover keyserver/tests; env -u GOROOT -u GOPATH /opt/homebrew/bin/go test ./...
Not-tested: Docker compose smoke test was not run locally.
@YoungJinJung
Limit keyserver JSON request bodies
e12c09c 
The keyserver now rejects oversized JSON requests before reading them into memory, reducing unauthenticated memory pressure on publish and auth endpoints.

Constraint: Keep the limit simple and dependency-free for the small JSON profiles exchanged by this service.
Rejected: Streaming JSON parsing | unnecessary for the current profile and auth payload sizes.
Confidence: high
Scope-risk: narrow
Directive: Increase MAX_JSON_BODY_BYTES only with explicit profile size requirements and DoS impact review.
Tested: PYTHONPATH=. python3 -m unittest discover keyserver/tests; env -u GOROOT -u GOPATH /opt/homebrew/bin/go test ./...
Related: #32
amazon-q-developer[bot]
amazon-q-developer Bot reviewed Jun 16, 2026
View reviewed changes

@amazon-q-developer amazon-q-developer Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The implementation correctly adds a 64 KiB limit for JSON request bodies to prevent denial of service attacks. The size validation occurs before reading the request body, which is the proper approach for resource protection. Both PUT and POST auth endpoints handle oversized requests appropriately with 413 responses, and the test coverage validates both scenarios. No blocking issues found.

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

@YoungJinJung YoungJinJung changed the base branch from keyserver-foundation to main June 16, 2026 06:19
@YoungJinJung

YoungJinJung commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

Closing because this was opened against the wrong repository. The security triage is being redone against companyjupiter/quarkify.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amazon-q-developer amazon-q-developer[bot] amazon-q-developer[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Limit keyserver request body size to prevent memory exhaustion

1 participant

@YoungJinJung