Add request body size limit middleware function #3114
Conversation
Implement middleware func in pkg/api/server.go to enforce 1MB request body size limit Requests exceeding this limit receive HTTP 413 response Added comprehensive tests for boundary conditions fixes stacklok#3054 Signed-off-by: muzman123 <[email protected]>
github-actions
bot
added
size/XS
github-actions
bot
added
size/XS
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3114 +/- ##
=======================================
Coverage 57.11% 57.12%
=======================================
Files 341 341
Lines 33950 33961 +11
=======================================
+ Hits 19392 19400 +8
- Misses 12949 12951 +2
- Partials 1609 1610 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR adds request body size limit middleware to the ToolHive API server to address security issue #3054 by preventing resource exhaustion from oversized request payloads. The implementation enforces a 1MB default limit with both early rejection via Content-Length header validation and a safety net using http.MaxBytesReader for chunked/streaming requests.
Key changes:
- Added
requestBodySizeLimitMiddlewarefunction that checks Content-Length and wraps request bodies withhttp.MaxBytesReader - Integrated middleware into the API server's middleware chain before authentication
- Added comprehensive unit tests covering requests within limit, at limit, and exceeding limit
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| pkg/api/server.go | Defines 1MB constant, implements middleware function, and adds middleware to the request processing chain |
| pkg/api/request_size_test.go | Adds unit tests for middleware behavior with requests of various sizes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Thanks for the PR @muzman123! There are a few changes that Copilot suggested above. For the blank lines you can run |
edited requestBodySizeLimitMiddleware to send JSON formatted error instead of plain text, ran task lint-fix on new/edited files
github-actions
bot
added
size/S
eleftherias
left a comment
eleftherias
left a comment
There was a problem hiding this comment.
Thanks for the updates! I have a couple more questions and comments that I've left inline.
| if strings.HasPrefix(r.URL.Path, "/api/") { | ||
| w.Header().Set("Content-Type", "application/json") | ||
| } |
There was a problem hiding this comment.
Looking at this again, let's remove this section. There is a larger issue in the codebase where errors are returned as plaintext, but we can deal with it separately.
| if strings.HasPrefix(r.URL.Path, "/api/") { | |
| w.Header().Set("Content-Type", "application/json") | |
| } |
| if strings.HasPrefix(r.URL.Path, "/api/") { | ||
| w.Header().Set("Content-Type", "application/json") | ||
| } | ||
| http.Error(w, "Request Entity Too Large", http.StatusRequestEntityTooLarge) |
There was a problem hiding this comment.
It would be nice to have a log message before the error is returned to help with diagnostics.
| } | ||
|
|
||
| // Also set MaxBytesReader as a safety net for requests without Content-Length | ||
| r.Body = http.MaxBytesReader(w, r.Body, maxSize) |
There was a problem hiding this comment.
I'm concerned that if this fails, it won't return a 413 status code, and cause a different error. Do you have any thoughts around this?
2 participants
Problem
Issue #3054 identified that the API does not enforce request body size limits
Solution
Added
requestBodySizeLimitMiddlewareinpkg/api/server.gothat:maxRequestBodySizeconstantContent-Lengthheader for immediate rejection (efficient)http.MaxBytesReaderas safety net for chunked/streaming requestsAdded unit tests in
pkg/api/request_size_test.go:Related Issue
Fixes #3054