fix: limit outgoing webhook response size to prevent memory exhaustion (#38760)

Co-authored-by: Kevin Aleman <11577696+KevLehman@users.noreply.github.com>
5 days ago · dad0dba81e
parent 3145c41615
commit dad0dba81e
2 changed files with 6 additions and 0 deletions
--- a/.changeset/shiny-pears-admire.md
+++ b/.changeset/shiny-pears-admire.md
@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Limits `Outgoing webhook` maximum response size to 10mb.
--- a/apps/meteor/app/integrations/server/lib/triggerHandler.ts
+++ b/apps/meteor/app/integrations/server/lib/triggerHandler.ts
@ -621,6 +621,7 @@ class RocketChatIntegrationHandler {
 				...(opts.data && { body: opts.data }),
 				// SECURITY: Integrations can only be configured by users with enough privileges. It's ok to disable this check here.
 				ignoreSsrfValidation: true,
+				size: 10 * 1024 * 1024,
 			},
 			settings.get('Allow_Invalid_SelfSigned_Certs'),
 		)