fix: validate FileSize in NewDataBuilder to prevent OOM DoS (#25710) (#26185)

jdomeracki-coder · f0ssel · web-flow · commit 15ff74af2fd0 · 2026-06-11T16:22:39.000-04:00
Backport of #25710 to `release/2.33`. Cherry-picked with `git cherry-pick -x` (`a2e1ddb56f`); the commit body references the original PR. _Generated by Coder Agents on behalf of @jdomeracki-coder._ Co-authored-by: Garrett Delfosse <garrett@coder.com>
diff --git a/coderd/provisionerdserver/provisionerdserver.go b/coderd/provisionerdserver/provisionerdserver.go
@@ -1609,7 +1609,10 @@ func (s *server) DownloadFile(request *proto.FileRequest, stream proto.DRPCProvi
 		return fail(xerrors.Errorf("unsupported file upload type: %s", request.UploadType))
 	}
 
-	upload, chunks := sdkproto.BytesToDataUpload(sdkproto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, file.Data)
+	upload, chunks, err := sdkproto.BytesToDataUpload(sdkproto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, file.Data)
+	if err != nil {
+		return fail(xerrors.Errorf("prepare file upload: %w", err))
+	}
 
 	err = stream.Send(&sdkproto.FileUpload{
 		Type: &sdkproto.FileUpload_DataUpload{DataUpload: upload},
diff --git a/coderd/provisionerdserver/upload_file_test.go b/coderd/provisionerdserver/upload_file_test.go
@@ -48,7 +48,8 @@ func TestUploadFileLargeModuleFiles(t *testing.T) {
 			require.NoError(t, err)
 
 			// Convert to upload format
-			upload, chunks := sdkproto.BytesToDataUpload(sdkproto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, moduleData)
+			upload, chunks, err := sdkproto.BytesToDataUpload(sdkproto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, moduleData)
+			require.NoError(t, err)
 
 			stream := newMockUploadStream(upload, chunks...)
 
@@ -93,7 +94,8 @@ func TestUploadFileErrorScenarios(t *testing.T) {
 	_, err := crand.Read(moduleData)
 	require.NoError(t, err)
 
-	upload, chunks := sdkproto.BytesToDataUpload(sdkproto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, moduleData)
+	upload, chunks, err := sdkproto.BytesToDataUpload(sdkproto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, moduleData)
+	require.NoError(t, err)
 
 	t.Run("chunk_before_upload", func(t *testing.T) {
 		t.Parallel()
diff --git a/provisionerd/provisionerd.go b/provisionerd/provisionerd.go
@@ -533,7 +533,10 @@ func (p *Server) UploadModuleFiles(ctx context.Context, moduleFiles []byte) erro
 		}
 		defer stream.Close()
 
-		dataUp, chunks := sdkproto.BytesToDataUpload(sdkproto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, moduleFiles)
+		dataUp, chunks, err := sdkproto.BytesToDataUpload(sdkproto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, moduleFiles)
+		if err != nil {
+			return nil, xerrors.Errorf("prepare module files upload: %w", err)
+		}
 
 		err = stream.Send(&sdkproto.FileUpload{Type: &sdkproto.FileUpload_DataUpload{DataUpload: dataUp}})
 		if err != nil {
diff --git a/provisionerd/runner/init.go b/provisionerd/runner/init.go
@@ -19,14 +19,17 @@ func (r *Runner) init(ctx context.Context, omitModules bool, templateArchive []b
 	// If `moduleTar` is populated, `init` will send it over in multiple parts. This
 	// It must be called before the initial request to populate the correct hash if
 	// there is data to send. This is safe to call on nil or empty slices.
-	data, chunks := sdkproto.BytesToDataUpload(sdkproto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, moduleTar)
+	data, chunks, err := sdkproto.BytesToDataUpload(sdkproto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, moduleTar)
+	if err != nil {
+		return nil, r.failedJobf("prepare module files upload: %v", err)
+	}
 
 	hash := []byte{}
 	if len(moduleTar) > 0 {
 		hash = data.DataHash
 	}
 
-	err := r.session.Send(&sdkproto.Request{Type: &sdkproto.Request_Init{Init: &sdkproto.InitRequest{
+	err = r.session.Send(&sdkproto.Request{Type: &sdkproto.Request_Init{Init: &sdkproto.InitRequest{
 		TemplateSourceArchive: templateArchive,
 		OmitModuleFiles:       omitModules,
 		InitialModuleTarHash:  hash,
diff --git a/provisionersdk/proto/dataupload.go b/provisionersdk/proto/dataupload.go
diff --git a/provisionersdk/proto/dataupload_test.go b/provisionersdk/proto/dataupload_test.go
diff --git a/provisionersdk/session.go b/provisionersdk/session.go
@@ -246,24 +246,28 @@ func (s *Session) handleInitRequest(init *proto.InitRequest, requests <-chan *pr
 		s.Logger.Info(s.Context(), "plan response too large, sending modules as stream",
 			slog.F("size_bytes", len(complete.ModuleFiles)),
 		)
-		dataUp, chunks := proto.BytesToDataUpload(proto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, complete.ModuleFiles)
-
-		complete.ModuleFiles = nil // sent over the stream
-		complete.ModuleFilesHash = dataUp.DataHash
-
-		err := s.stream.Send(&proto.Response{Type: &proto.Response_DataUpload{DataUpload: dataUp}})
+		dataUp, chunks, err := proto.BytesToDataUpload(proto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, complete.ModuleFiles)
 		if err != nil {
-			complete.Error = fmt.Sprintf("send data upload: %s", err.Error())
+			complete.Error = fmt.Sprintf("prepare module files upload: %s", err.Error())
 		} else {
-			for i, chunk := range chunks {
-				err := s.stream.Send(&proto.Response{Type: &proto.Response_ChunkPiece{ChunkPiece: chunk}})
-				if err != nil {
-					complete.Error = fmt.Sprintf("send data piece upload %d/%d: %s", i, dataUp.Chunks, err.Error())
-					break
+			complete.ModuleFiles = nil // sent over the stream
+			complete.ModuleFilesHash = dataUp.DataHash
+
+			err := s.stream.Send(&proto.Response{Type: &proto.Response_DataUpload{DataUpload: dataUp}})
+			if err != nil {
+				complete.Error = fmt.Sprintf("send data upload: %s", err.Error())
+			} else {
+				for i, chunk := range chunks {
+					err := s.stream.Send(&proto.Response{Type: &proto.Response_ChunkPiece{ChunkPiece: chunk}})
+					if err != nil {
+						complete.Error = fmt.Sprintf("send data piece upload %d/%d: %s", i, dataUp.Chunks, err.Error())
+						break
+					}
 				}
 			}
 		}
 	}
+
 	s.initialized = true
 
 	return complete, nil
