Skip to content

fix(minidump): Streaming uploads from external relays #5977

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jjbayer merged 14 commits into from
May 22, 2026
+204 −95

Merge remote-tracking branch 'origin/master' into test/minidump-external

3728a42
Select commit
Loading
Failed to load commit list.
Merged

fix(minidump): Streaming uploads from external relays #5977

Merge remote-tracking branch 'origin/master' into test/minidump-external
3728a42
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden completed May 21, 2026 in 6m 10s

1 issue

Medium

External clients can bypass upload quota checks via deferred length - `relay-server/src/endpoints/upload.rs:157`

Removing the trust check from validate_post_headers lets any external client send Upload-Defer-Length: 1 instead of declaring the real upload size, causing check_request to evaluate quota against 1 byte while the actual upload can reach max_upload_size.

Also found at:

  • relay-server/src/utils/tus.rs:29-31
1 skill analyzed
Skill Findings Duration Cost
security-review 1 4m 28s $2.00

⏱ 4m 28s · 1.1M in / 25.1k out · $2.00

View more details on @sentry/warden