From 71d46c911656c68e9503846fa832cb436f4139d6 Mon Sep 17 00:00:00 2001
From: ibrahimu8 <ibrahim090260@gmail.com>
Date: Sun, 19 Oct 2025 19:44:42 +0100
Subject: [PATCH] security: add resource limits to config parser to prevent DoS

- Add maxConfigFileSize (5MB) and maxConfigKeys (10000) constants
- Check file size before YAML parsing in parse() function
- Check key count after unmarshaling in both parse() and parseRaw()
- Prevents memory/CPU exhaustion attacks via malicious config files

Fixes: Resource exhaustion vulnerability where attackers could crash
Nebula by providing extremely large configuration files
---
 config/config.go | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/config/config.go b/config/config.go
index 55103245..02ecf4b3 100644
--- a/config/config.go
+++ b/config/config.go
@@ -20,6 +20,13 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
+const (
+// Maximum allowed config file size (5MB)
+maxConfigFileSize = 5 * 1024 * 1024
+// Maximum number of keys in a single config file
+maxConfigKeys = 10000
+)
+
 type C struct {
 	path        string
 	files       []string
@@ -369,6 +376,11 @@ func (c *C) parseRaw(b []byte) error {
 		return err
 	}
 
+	// Check number of configuration keys
+	if len(m) > maxConfigKeys {
+		return fmt.Errorf("config string has too many keys: %d keys, max: %d", len(m), maxConfigKeys)
+	}
+
 	c.Settings = m
 	return nil
 }
@@ -382,7 +394,17 @@ func (c *C) parse() error {
 			return err
 		}
 
+	// Check config file size before parsing
+	if len(b) > maxConfigFileSize {
+		return fmt.Errorf("config file too large: %s (%d bytes, max: %d bytes)", path, len(b), maxConfigFileSize)
+	}
+
 		var nm map[string]any
+	// Check number of configuration keys
+	if len(nm) > maxConfigKeys {
+		return fmt.Errorf("config file has too many keys: %s (%d keys, max: %d)", path, len(nm), maxConfigKeys)
+	}
+
 		err = yaml.Unmarshal(b, &nm)
 		if err != nil {
 			return err