fix: add resource limits on encoded prefs route

Author: sigaloid

src/settings.rs

@@ -11,6 +11,7 @@ use futures_lite::StreamExt;
 use hyper::{Body, Request, Response};
 use rinja::Template;
 use time::{Duration, OffsetDateTime};
+use tokio::time::timeout;
 use url::form_urlencoded;
 
 // STRUCTS
@@ -269,16 +270,26 @@ pub async fn encoded_restore(req: Request<Body>) -> Result<Response<Body>, Strin
 		.await
 		.map_err(|e| format!("Failed to get bytes from request body: {}", e))?;
 
+	if body.len() > 1024 * 1024 {
+		return Err("Request body too large".to_string());
+	}
+
 	let encoded_prefs = form_urlencoded::parse(&body)
 		.find(|(key, _)| key == "encoded_prefs")
 		.map(|(_, value)| value)
 		.ok_or_else(|| "encoded_prefs parameter not found in request body".to_string())?;
 
 	let bytes = base2048::decode(&encoded_prefs).ok_or_else(|| "Failed to decode base2048 encoded preferences".to_string())?;
 
-	let out = deflate_decompress(bytes)?;
+	let out = timeout(std::time::Duration::from_secs(1), async { deflate_decompress(bytes) })
+		.await
+		.map_err(|e| format!("Failed to decompress bytes: {}", e))??;
+
+	let mut prefs: Preferences = timeout(std::time::Duration::from_secs(1), async { bincode::deserialize(&out) })
+		.await
+		.map_err(|e| format!("Failed to deserialize preferences: {}", e))?
+		.map_err(|e| format!("Failed to deserialize bytes into Preferences struct: {}", e))?;
 
-	let mut prefs: Preferences = bincode::deserialize(&out).map_err(|e| format!("Failed to deserialize bytes into Preferences struct: {}", e))?;
 	prefs.available_themes = vec![];
 
 	let url = format!("/settings/restore/?{}", prefs.to_urlencoded()?);