fix(fetchers): enforce twitter fetch hardening limits by chaliy · Pull Request #124 · everruns/fetchkit

chaliy · 2026-05-17T16:48:26Z

Close a hardening bypass where TwitterFetcher followed upstream redirects and buffered API responses without honoring FetchOptions limits, which could enable SSRF or large-body exhaustion for Twitter/X syndication and oEmbed responses.

Disable automatic redirect following for the Twitter-specific client by using reqwest::redirect::Policy::none() to avoid unvalidated redirect hops.
Enforce configured body-size and timeout limits by replacing response.text() / response.json() with the shared streaming helper read_body_with_timeout(response, BODY_TIMEOUT, max_size) and fall back to DEFAULT_MAX_BODY_SIZE when options.max_body_size is unset.
Parse syndication JSON via serde_json::from_str on the bounded buffer (converted to UTF-8 lossily) and parse oEmbed via serde_json::from_slice on the bounded bytes, and add the use import for the helper symbols.

Ran formatter with cargo fmt --all which completed successfully.
Ran the targeted Rust unit tests with cargo test -p fetchkit twitter::tests -- --nocapture and the twitter fetcher tests all passed (20 passed, 0 failed).

…lnerability

fix(fetchers): enforce twitter fetch hardening limits

45b1ddc

chaliy added codex aardvark labels May 17, 2026 — with ChatGPT Codex Connector

Merge branch 'main' into 2026-05-17-propose-fix-for-twitterfetcher-vu…

9379926

…lnerability

chaliy merged commit 82936ad into main May 17, 2026
11 checks passed

chaliy deleted the 2026-05-17-propose-fix-for-twitterfetcher-vulnerability branch May 17, 2026 18:52

Provide feedback