API security improvements

cmd/ubsserver/main.go

@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"regexp"
 	"strings"
+	"time"
 
 	"gitlab.com/mporrato/uBrowserSync/syncstore"
 )
@@ -77,6 +78,7 @@ func info(w http.ResponseWriter, req *http.Request) {
 
 func createSync(w http.ResponseWriter, req *http.Request) {
 	body := new(syncstore.CreateReq)
+	req.Body = http.MaxBytesReader(w, req.Body, 10000)
 	err := json.NewDecoder(req.Body).Decode(&body)
 	if err != nil {
 		sendJSONError(w, invalidRequestError)
@@ -123,6 +125,7 @@ func getVersion(syncId string, w http.ResponseWriter, _ *http.Request) {
 
 func updateSync(syncId string, w http.ResponseWriter, req *http.Request) {
 	body := new(syncstore.UpdateReq)
+	req.Body = http.MaxBytesReader(w, req.Body, int64(10000 + maxSyncSize))
 	err := json.NewDecoder(req.Body).Decode(&body)
 	if err != nil {
 		sendJSONError(w, invalidRequestError)
@@ -191,6 +194,10 @@ func bookmarks(w http.ResponseWriter, req *http.Request) {
 	sendJSONError(w, syncstore.NotImplementedError)
 }
 
+func notFound(w http.ResponseWriter, _ *http.Request) {
+	sendJSONError(w, syncstore.NotImplementedError)
+}
+
 func init() {
 	var (
 		err       error
@@ -224,11 +231,20 @@ func init() {
 }
 
 func main() {
-	http.HandleFunc("/info", info)
-	http.HandleFunc("/bookmarks", bookmarks)
-	http.HandleFunc("/bookmarks/", bookmarks)
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", notFound)
+	mux.HandleFunc("/info", info)
+	mux.HandleFunc("/info/", info)
+	mux.HandleFunc("/bookmarks", bookmarks)
+	mux.HandleFunc("/bookmarks/", bookmarks)
 
 	log.Println("HTTP server listening on", listen)
-	err := http.ListenAndServe(listen, nil)
+	server := &http.Server{
+		Addr: listen,
+		Handler: mux,
+		ReadTimeout: 15 * time.Second,
+		WriteTimeout: 15 * time.Second,
+		MaxHeaderBytes: 5000}
+	err := server.ListenAndServe()
 	log.Println("HTTP server terminated", err)
 }