From f56eee315b6c44fdd9f6aa785cc2ec744a594428 Mon Sep 17 00:00:00 2001
From: Patrick Cloke <patrickc@matrix.org>
Date: Wed, 17 Mar 2021 12:45:31 -0400
Subject: [PATCH] Add max size for other HTTP calls.

---
 sydent/hs_federation/verifier.py        |  2 +-
 sydent/http/httpclient.py               | 14 +++++++++++---
 sydent/http/servlets/registerservlet.py |  1 +
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/sydent/hs_federation/verifier.py b/sydent/hs_federation/verifier.py
index 78d9af0e..1360672d 100644
--- a/sydent/hs_federation/verifier.py
+++ b/sydent/hs_federation/verifier.py
@@ -69,7 +69,7 @@ def _getKeysForServer(self, server_name):
                 defer.returnValue(self.cache[server_name]['verify_keys'])
 
         client = FederationHttpClient(self.sydent)
-        result = yield client.get_json("matrix://%s/_matrix/key/v2/server/" % server_name)
+        result = yield client.get_json("matrix://%s/_matrix/key/v2/server/" % server_name, 1024 * 50)
         if 'verify_keys' not in result:
             raise SignatureVerifyException("No key found in response")
 
diff --git a/sydent/http/httpclient.py b/sydent/http/httpclient.py
index 7358304f..2da0c5f1 100644
--- a/sydent/http/httpclient.py
+++ b/sydent/http/httpclient.py
@@ -25,6 +25,7 @@
 from sydent.http.matrixfederationagent import MatrixFederationAgent
 
 from sydent.http.federation_tls_options import ClientTLSOptionsFactory
+from sydent.http.httpcommon import BodyExceededMaxSize, read_body_with_max_size
 
 logger = logging.getLogger(__name__)
 
@@ -34,12 +35,15 @@ class HTTPClient(object):
     requests.
     """
     @defer.inlineCallbacks
-    def get_json(self, uri):
+    def get_json(self, uri, max_size = None):
         """Make a GET request to an endpoint returning JSON and parse result
 
         :param uri: The URI to make a GET request to.
         :type uri: unicode
 
+        :param max_size: The maximum size (in bytes) to allow as a response.
+        :type max_size: int
+
         :return: A deferred containing JSON parsed into a Python object.
         :rtype: twisted.internet.defer.Deferred[dict[any, any]]
         """
@@ -49,7 +53,7 @@ def get_json(self, uri):
             b"GET",
             uri.encode("utf8"),
         )
-        body = yield readBody(response)
+        body = yield read_body_with_max_size(response, max_size)
         try:
             # json.loads doesn't allow bytes in Python 3.5
             json_body = json.loads(body.decode("UTF-8"))
@@ -94,7 +98,11 @@ def post_json_get_nothing(self, uri, post_json, opts):
         # Ensure the body object is read otherwise we'll leak HTTP connections
         # as per
         # https://twistedmatrix.com/documents/current/web/howto/client.html
-        yield readBody(response)
+        try:
+            # TODO Will this cause the server to think the request was a failure?
+            yield read_body_with_max_size(response, 0)
+        except BodyExceededMaxSize:
+            pass
 
         defer.returnValue(response)
 
diff --git a/sydent/http/servlets/registerservlet.py b/sydent/http/servlets/registerservlet.py
index d385a478..ebd07cce 100644
--- a/sydent/http/servlets/registerservlet.py
+++ b/sydent/http/servlets/registerservlet.py
@@ -51,6 +51,7 @@ def render_POST(self, request):
             "matrix://%s/_matrix/federation/v1/openid/userinfo?access_token=%s" % (
                 args['matrix_server_name'], urllib.parse.quote(args['access_token']),
             ),
+            1024 * 5,
         )
         if 'sub' not in result:
             raise Exception("Invalid response from homeserver")