chore: bring back x-auth-checks with a length limit (#19928)

2026-06-03 04:58:23 +00:00 · 2025-09-24 10:46:50 -06:00
parent adb7521066
commit a6fc28cc6f
2 changed files with 15 additions and 10 deletions
@@ -9,6 +9,14 @@ import (
 	"github.com/coder/coder/v2/coderd/rbac"
 )

+// The x-authz-checks header can end up being >10KB in size on certain queries.
+// Many HTTP clients will fail if a header or the response head as a whole is
+// too long to prevent malicious responses from consuming all of the client's
+// memory. I've seen reports that browsers have this limit as low as 4KB for the
+// entire response head, so we limit this header to a little less than 2KB,
+// ensuring there's still plenty of room for the usual smaller headers.
+const maxHeaderLength = 2000
+
 // This is defined separately in slim builds to avoid importing the rbac
 // package, which is a large dependency.
 func SetAuthzCheckRecorderHeader(ctx context.Context, rw http.ResponseWriter) {
@@ -23,6 +31,11 @@ func SetAuthzCheckRecorderHeader(ctx context.Context, rw http.ResponseWriter) {
 		//   configured on server startup for development and testing builds.
 		// - If this header is missing from a response, make sure the response is
 		//   being written by calling `httpapi.Write`!
-		rw.Header().Set("x-authz-checks", rec.String())
+		checks := rec.String()
+		if len(checks) > maxHeaderLength {
+			checks = checks[:maxHeaderLength]
+			checks += "<truncated>"
+		}
+		rw.Header().Set("x-authz-checks", checks)
 	}
 }