Skip to content

✨ Limit max_response_size #444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 21, 2025
Merged

✨ Limit max_response_size #444

merged 2 commits into from
Apr 21, 2025

Conversation

nevans
Copy link
Collaborator

@nevans nevans commented Apr 21, 2025
edited
Loading

Add Net::IMAP::Config#max_response_size, with a very high default value of 512MiB. Use #max_response_size to impose a limit on incoming server responses as they are being read. This is especially important for untrusted servers.

Socket reads are limited to the maximum remaining bytes for the current response: max_response_size minus the bytes that have already been read. When the limit is reached, or reading a literal would go over the limit, ResponseTooLargeError is raised and the connection is closed.

Though it would be useful to also have limits based on response type and what commands are currently running, that's out of scope for now.

Please note: this only limits the size per response. It does not limit how many unhandled responses may be stored on the responses hash.

@nevans
✨ Limit max response size to 512MiB (hard-coded)
0ae8576 
_Please note:_ this only limits the size per response.  It does _not_
limit how many unhandled responses may be stored on the responses hash.
@nevans nevans changed the title ✨ Limit response size ✨ Limit max_response_size Apr 21, 2025
@nevans
✨ Make max_response_size configurable
b6bdee2 
Though it would be useful to also have limits based on response type and
what commands are currently running, that's out of scope for now.

_Please note:_ this only limits the size per response.  It does _not_
limit how many unhandled responses may be stored on the responses hash.
@nevans nevans force-pushed the limit-response-size branch from 14c2532 to b6bdee2 Compare April 21, 2025 03:25
This was referenced Apr 21, 2025
Merged
Merged
Merged
@nevans nevans added the enhancement New feature or request label Apr 21, 2025
@nevans nevans merged commit 10137ba into master Apr 21, 2025
37 checks passed
@nevans nevans deleted the limit-response-size branch April 21, 2025 11:08
@ggilder ggilder mentioned this pull request Apr 29, 2025
Merged
This was referenced May 5, 2025
Closed
Closed
headius added a commit to headius/jruby that referenced this pull request May 5, 2025
@headius
Update to net-imap 0.5.8 for security fixes
30f5372 
Security fixes were in 0.5.7

See https://github.com/ruby/net-imap/releases/tag/v0.5.7

* ruby/net-imap#419
* ruby/net-imap#444

The security advisory is at GHSA-j3g3-5qv5-52mj

Release 0.5.8 includes additional improvements and fixes.

See https://github.com/ruby/net-imap/releases/tag/v0.5.8
headius added a commit to headius/jruby that referenced this pull request May 5, 2025
@headius
Update to net-imap 0.5.8 for security fixes
fabee18 
Security fixes were in 0.5.7

See https://github.com/ruby/net-imap/releases/tag/v0.5.7

* ruby/net-imap#419
* ruby/net-imap#444

The security advisory is at GHSA-j3g3-5qv5-52mj

Release 0.5.8 includes additional improvements and fixes.

See https://github.com/ruby/net-imap/releases/tag/v0.5.8
@headius headius mentioned this pull request May 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nevans