From f4049d301548fb94bdeba83af10e1e916be34f92 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:03:43 -0800
Subject: [PATCH] Limit webhook body size to 1MB

Fixes #21
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/forgejo/webhook.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/forgejo/webhook.go b/internal/forgejo/webhook.go
index 75fd0a1..3f3f307 100644
--- a/internal/forgejo/webhook.go
+++ b/internal/forgejo/webhook.go
@@ -39,7 +39,7 @@ func VerifyWebhookSignature(r *http.Request, secret string) ([]byte, error) {
 		return nil, fmt.Errorf("missing X-Forgejo-Signature header")
 	}
 
-	body, err := io.ReadAll(r.Body)
+	body, err := io.ReadAll(io.LimitReader(r.Body, 1<<20))
 	if err != nil {
 		return nil, fmt.Errorf("read body: %w", err)
 	}