Check Content-Length on PUT and POST

AtomGraph / LinkedDataHub

The low-code Knowledge Graph application platform. Apache license.

https://atomgraph.github.io/LinkedDataHub/

Apache License 2.0

493 stars 124 forks source link

Check Content-Length on PUT and POST #53

Closed namedgraph closed 3 years ago

namedgraph commented 3 years ago

Introduce a aplc:MaxPostSize config parameter and check the Content-Length header of PUT and POST request; reject the request with 413 Request Entity Too Large if it is over the size limit.

namedgraph commented 3 years ago

We can probably leverage Tomcat's maxPostSize by creating a $MAX_POST_SIZE entrypoint param for it, without needing to touch Java code.

namedgraph commented 3 years ago

Looks like Tomcat's maxPostSize doesn't do what I thought it does: https://www.mail-archive.com/search?l=users@tomcat.apache.org&q=subject:%22How+to+upload+Files+larger+than+2GB%22&o=newest&f=1

We need to implement our own subclass of InputStream then, in order to be able to count bytes. It should probably be integrated deep into Core's ModelProvider where the request stream is read.

Checking Content-Length in a ReaderInterceptor sounds much easier, and although the header value can be spoofed, we could use this as an interim solution.

namedgraph commented 3 years ago

Now with tests POST-content-length-413.sh and POST-transfer-chunked-413.sh

namedgraph commented 3 years ago

The implementation could now be simplified by moving it to nginx and configuring using client_max_body_size.

namedgraph commented 3 years ago

Lets keep a check both in nginx and in LinkedDataHub.