feat: limit the size of the body read back from http requests

Signed-off-by: Adam Talbot <adam.talbot@venafi.com>

pkg/issuer/acme/dns/cloudflare/cloudflare.go

@@ -28,6 +28,10 @@ import (
 // TODO: Unexport?
 const CloudFlareAPIURL = "https://api.cloudflare.com/client/v4"
 
+// cloudFlareMaxBodySize is the max size of a received response body. The value is arbitrary
+// and is chosen to be large enough that any reasonable response would fit.
+const cloudFlareMaxBodySize = 1024 * 1024 // 1mb
+
 // DNSProviderType is the Mockable Interface
 type DNSProviderType interface {
 	makeRequest(method, uri string, body io.Reader) (json.RawMessage, error)
@@ -275,7 +279,7 @@ func (c *DNSProvider) makeRequest(method, uri string, body io.Reader) (json.RawM
 	defer resp.Body.Close()
 
 	var r APIResponse
-	err = json.NewDecoder(resp.Body).Decode(&r)
+	err = json.NewDecoder(io.LimitReader(resp.Body, cloudFlareMaxBodySize)).Decode(&r)
 	if err != nil {
 		return nil, err
 	}

pkg/issuer/acme/http/http.go

@@ -49,6 +49,11 @@ const (
 	acmeSolverListenPort = 8089
 
 	loggerName = "http01"
+
+	// maxAcmeChallengeBodySize is the max size of a received response body for an
+	// acme http challenge. The value is arbitrary and is chosen to be large enough
+	// that any reasonable response would fit.
+	maxAcmeChallengeBodySize = 1024 * 1024 // 1mb
 )
 
 var (
@@ -301,7 +306,7 @@ func testReachability(ctx context.Context, url *url.URL, key string, dnsServers
 		return fmt.Errorf("wrong status code '%d', expected '%d'", response.StatusCode, http.StatusOK)
 	}
 
-	presentedKey, err := io.ReadAll(response.Body)
+	presentedKey, err := io.ReadAll(io.LimitReader(response.Body, maxAcmeChallengeBodySize))
 	if err != nil {
 		log.V(logf.DebugLevel).Info("failed to decode response body", "error", err)
 		return fmt.Errorf("failed to read response body: %v", err)