From f08f2ead424a3e85bdc82e89df8f2ac68c16955d Mon Sep 17 00:00:00 2001
From: marcello33 <marcelloardizzone@hotmail.it>
Date: Thu, 31 Oct 2024 10:56:34 +0100
Subject: [PATCH] chg: some sec fixes

---
 consensus/bor/heimdall/client.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/consensus/bor/heimdall/client.go b/consensus/bor/heimdall/client.go
index 680c09d5f7..029164c986 100644
--- a/consensus/bor/heimdall/client.go
+++ b/consensus/bor/heimdall/client.go
@@ -31,9 +31,10 @@ var (
 )
 
 const (
-	stateFetchLimit    = 50
-	apiHeimdallTimeout = 5 * time.Second
-	retryCall          = 5 * time.Second
+	heimdallAPIBodyLimit = 128 * 1024 * 1024 // 128 MB
+	stateFetchLimit      = 50
+	apiHeimdallTimeout   = 5 * time.Second
+	retryCall            = 5 * time.Second
 )
 
 type StateSyncEventsResponse struct {
@@ -455,8 +456,11 @@ func internalFetch(ctx context.Context, client http.Client, u *url.URL) ([]byte,
 		return nil, nil
 	}
 
+	// Limit the number of bytes read from the response body
+	limitedBody := http.MaxBytesReader(nil, res.Body, heimdallAPIBodyLimit)
+
 	// get response
-	body, err := io.ReadAll(res.Body)
+	body, err := io.ReadAll(limitedBody)
 	if err != nil {
 		return nil, err
 	}