fix(server): bound request body size to prevent upload memory DoS #97
No reviewers
Labels
No labels
area:api
area:core
area:docs
area:infra
area:ux
dependencies
documentation
duplicate
good first issue
help wanted
invalid
question
rust
status:complete
status:partial
status:planned
type:bug
type:design
type:feature
type:infra
type:refactor
type:refactor
type:research
type:ux
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
icub3d/decentcom!97
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "feature/80-body-size-limit"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Fixes #80. Multipart uploads bypass axum's
DefaultBodyLimit, and the handlers buffered each field viafield.bytes()with themax_file_sizecheck applied only after the whole field was in memory. With noRequestBodyLimitLayerconfigured, a single huge field — or many fields in one request (the attachment loop accumulates) — could stream unbounded bytes into memory.Fix
Add a
RequestBodyLimitLayer(tower-httplimitfeature) sized tomax_file_size + 8 KiBframing overhead, applied to the whole router. This caps the entire request body at the HTTP layer, so no field can exceed what we are willing to buffer, and returns413 Payload Too Large(immediately whenContent-Lengthexceeds the cap). JSON/text endpoints stay bounded by axum's smallerDefaultBodyLimit.Note: the cap bounds the whole request, so a single upload request is effectively bounded to one max-size file plus framing. This matches the issue's concern about the multi-field accumulation; a dedicated multi-file budget can be a follow-up if needed.
Tests
oversized_request_body_is_rejected: over-limit body → 413 (before auth/routing); a small body is not rejected.Full server suite green (116 tests);
clippy -D warningsclean.Closes #80