fix: validate FileSize in NewDataBuilder to prevent OOM DoS (#25710) … · coder/coder@15ff74a
@@ -246,24 +246,28 @@ func (s *Session) handleInitRequest(init *proto.InitRequest, requests <-chan *pr
246246s.Logger.Info(s.Context(), "plan response too large, sending modules as stream",
247247slog.F("size_bytes", len(complete.ModuleFiles)),
248248 )
249-dataUp, chunks := proto.BytesToDataUpload(proto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, complete.ModuleFiles)
250-251-complete.ModuleFiles = nil // sent over the stream
252-complete.ModuleFilesHash = dataUp.DataHash
253-254-err := s.stream.Send(&proto.Response{Type: &proto.Response_DataUpload{DataUpload: dataUp}})
249+dataUp, chunks, err := proto.BytesToDataUpload(proto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, complete.ModuleFiles)
255250if err != nil {
256-complete.Error = fmt.Sprintf("send data upload: %s", err.Error())
251+complete.Error = fmt.Sprintf("prepare module files upload: %s", err.Error())
257252 } else {
258-for i, chunk := range chunks {
259-err := s.stream.Send(&proto.Response{Type: &proto.Response_ChunkPiece{ChunkPiece: chunk}})
260-if err != nil {
261-complete.Error = fmt.Sprintf("send data piece upload %d/%d: %s", i, dataUp.Chunks, err.Error())
262-break
253+complete.ModuleFiles = nil // sent over the stream
254+complete.ModuleFilesHash = dataUp.DataHash
255+256+err := s.stream.Send(&proto.Response{Type: &proto.Response_DataUpload{DataUpload: dataUp}})
257+if err != nil {
258+complete.Error = fmt.Sprintf("send data upload: %s", err.Error())
259+ } else {
260+for i, chunk := range chunks {
261+err := s.stream.Send(&proto.Response{Type: &proto.Response_ChunkPiece{ChunkPiece: chunk}})
262+if err != nil {
263+complete.Error = fmt.Sprintf("send data piece upload %d/%d: %s", i, dataUp.Chunks, err.Error())
264+break
265+ }
263266 }
264267 }
265268 }
266269 }
270+267271s.initialized = true
268272269273return complete, nil