core: Reject oversized GET dns query parameter of DoH (#7926)

* core: Reject oversized GET dns query parameter of DoH

The DoH POST path limits request size using http.MaxBytesReader(..., 65536), but the GET path passes the dns query value directly to base64ToMsg() with no equivalent bound.

This PR adds length check.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>

* Fix

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>

---------

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>

plugin/pkg/doh/doh_test.go

@@ -44,3 +44,26 @@ func TestDoH(t *testing.T) {
 		})
 	}
 }
+
+func TestDoHGETRejectsOversizedDNSQuery(t *testing.T) {
+	// Exceeding max size 65536
+	raw := make([]byte, 65536+1)
+	b64 := b64Enc.EncodeToString(raw)
+
+	req, err := http.NewRequest(
+		http.MethodGet,
+		"https://example.org"+Path+"?dns="+b64,
+		nil,
+	)
+	if err != nil {
+		t.Fatalf("failed to build request: %v", err)
+	}
+
+	_, err = RequestToMsg(req)
+	if err == nil {
+		t.Fatalf("expected oversized GET dns query to be rejected")
+	}
+	if err.Error() != "dns query too large" {
+		t.Fatalf("expected %q, got %v", "dns query too large", err)
+	}
+}