Aias00 opened a new issue, #975: URL: https://github.com/apache/dubbo-go-pixiu/issues/975
### ✅ Verification Checklist - [x] 🔍 I have searched the [existing issues](https://github.com/apache/dubbo-go-pixiu/issues) and confirmed this is not a duplicate ### 🚀 Go Version go1.26.3 ### 📦 Dubbo-go-pixiu Version develop branch ### 🖥️ Server Configuration _No response_ ### 💻 Client Configuration _No response_ ### 🌐 Protocol Configuration _No response_ ### 📋 Registry Configuration _No response_ ### 💾 Operating System 🍎 macOS ### 📝 Bug Description The hot reload HTTP handler reads the entire request body with `io.ReadAll(r.Body)` without enforcing a maximum size. Affected code: - `pkg/hotreload/http_handler.go` An authenticated caller can send a very large request body to the reload endpoint, causing excessive memory usage and potential denial of service. ### 🔄 Steps to Reproduce 1. Start Pixiu with the hot reload HTTP server enabled. 2. Send an authenticated `POST /-/reload` request. 3. Use a very large request body. 4. Observe that the handler attempts to read the entire body into memory. ### ✅ Expected Behavior The reload endpoint should enforce a reasonable maximum request body size and return `413 Request Entity Too Large` when the limit is exceeded. ### ❌ Actual Behavior The reload endpoint reads the full request body without a configured size limit. ### 💡 Possible Solution _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
