fix(synology-chat): enforce bounded webhook body reads

[bmendonca3]

Summary

• Harden Synology Chat webhook ingress against slow-body request exhaustion.
• Replace the ad-hoc body reader with the shared bounded reader (readRequestBodyWithLimit) so request size and read time are both enforced before parsing.
• Add a regression test that verifies stalled POST bodies are rejected with timeout semantics.

Change Type

• Security fix (webhook ingress hardening / DoS mitigation)
• Regression test

Scope

• extensions/synology-chat/src/webhook-handler.ts
• extensions/synology-chat/src/webhook-handler.test.ts

Security Impact

• Boundary crossed before fix: unauthenticated HTTP ingress resource controls (body read time bound).
• Impact: attacker could open many POST requests and trickle/incomplete-body them so handlers waited indefinitely for end before token checks, consuming gateway connection/resources.
• Worst case: connection-slot and worker starvation (slowloris-style denial of service) on Synology webhook endpoints.

Repro + Verification

1. Start a gateway with Synology Chat webhook enabled.
2. Send a POST request to the webhook path with a partial body and keep the connection open without completing it.
3. Before fix: request can remain pending until server-level socket timeout; handler itself has no body-read timeout guard.
4. After fix: request body read is bounded; timed-out body is rejected.

Automated verification:

• pnpm exec vitest run extensions/synology-chat/src/webhook-handler.test.ts --maxWorkers=1

Evidence

• New regression test: returns 408 when request body times out.
• Handler now uses bounded body-read API and maps structured limit/timeout errors to HTTP responses.

Human Verification

1. Reproduce with an incomplete chunked POST against the Synology webhook path.
2. Confirm the request no longer hangs indefinitely at handler level.
3. Confirm valid webhook requests still succeed and invalid token checks still return unauthorized.

Compatibility / Migration

• No config or API migration required.
• Error behavior is stricter for malformed/stalled webhook requests (bounded responses instead of open-ended read wait).

Failure Recovery

• If legitimate clients hit timeouts, ensure they complete webhook payload transmission promptly and avoid long-stalled uploads.

Risks and Mitigations

• Risk: stricter timeout behavior may reject exceptionally slow clients.
• Mitigation: timeout is aligned with existing webhook ingress guardrails used elsewhere in the codebase.

Greptile Summary

Replaced ad-hoc body reader in Synology Chat webhook handler with the shared bounded reader (readRequestBodyWithLimit) to enforce both request size (1MB) and read time (30s) limits. This mitigates slowloris-style DoS attacks where unauthenticated clients could open many POST requests with trickled/incomplete bodies, consuming gateway resources before token validation occurs.

• Migrated from manual event-based body reading to readRequestBodyWithLimit which enforces 1MB size limit and 30s timeout
• Added structured error handling with proper HTTP status codes (408 for timeout, 413 for oversized payload)
• Added regression test returns 408 when request body times out to verify stalled bodies are rejected with timeout semantics

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The change replaces a custom body-reading implementation with a well-tested shared bounded reader utility (readRequestBodyWithLimit) that is already used consistently across the codebase (LINE, Voice Call, NextCloud Talk, BlueBubbles extensions). The security improvement is clear: the old implementation only enforced size limits but had no timeout protection, allowing slowloris-style attacks. The new implementation enforces both size and time bounds before token validation. The regression test properly validates timeout behavior using fake timers. Error handling is structured and returns appropriate HTTP status codes.
• No files require special attention

_{Last reviewed commit: f31f1dd}

[steipete]

Landed via temp rebase onto main.

• Gate: pnpm vitest run extensions/synology-chat/src/webhook-handler.test.ts extensions/synology-chat/src/channel.integration.test.ts --maxWorkers=1
• Land commit: 181668cf622f80d4bc7fd0a4e6f3a6886d373c6a
• Merge commit: a3bb7a5

Thanks @bmendonca3!