TTP-03-002 WP1: RDSys moat size limits

Vulnerability type: TTP-03-002 WP1: POST requests on rdsys moat lack body size limits
Threat level: _Medium_

While testing the rdsys moat distributor, it was discovered that the /moat/circumvention/settings endpoint does not properly limit the size of the request’s body.A malicious actor could use this to cause a DoS condition on the server by sending a large JSON document. This would cause the server to crash due to an out-of-memory condition. From there, attackers could DoS the server with very few resources, impacting the availability of the bridge distributor.

Affected file: pkg/presentation/distributors/moat/web.go

Affected code:

func circumventionSettingsHandler(w http.ResponseWriter, r *http.Request) {
  w.Header().Set("Content-Type", "application/json")
  enc := json.NewEncoder(w)

  var request circumventionSettingsRequest
  dec := json.NewDecoder(r.Body)
  err := dec.Decode(&request)

It is recommended to use a io.LimitReader with a reasonable maximum body size limit (e.g., 100KB) to prevent attacks of this nature.

We need a mitigation plan for this issue by the end of February.