fix(objectnode): fix read body entirely into memory and without an upper boundary

Signed-off-by: tangdeyi <tangdeyi@oppo.com>

Author: tangdeyi

objectnode/api_handler_bucket.go

@@ -23,7 +23,6 @@ import (
 	"io/ioutil"
 	"net/http"
 	"regexp"
-	"strconv"
 	"strings"
 
 	"github.com/cubefs/cubefs/proto"
@@ -86,30 +85,29 @@ func (o *ObjectNode) createBucketHandler(w http.ResponseWriter, r *http.Request)
 	}
 	defer rateLimit.ReleaseLimitResource(userInfo.UserID, param.apiName)
 
-	// get LocationConstraint if any
-	contentLenStr := r.Header.Get(ContentLength)
-	if contentLen, errConv := strconv.Atoi(contentLenStr); errConv == nil && contentLen > 0 {
-		var requestBytes []byte
-		requestBytes, err = ioutil.ReadAll(r.Body)
-		if err != nil && err != io.EOF {
-			log.LogErrorf("createBucketHandler: read request body fail: requestID(%v) err(%v)", GetRequestID(r), err)
-			return
-		}
+	_, errorCode = VerifyContentLength(r, BodyLimit)
+	if errorCode != nil {
+		return
+	}
+	requestBytes, err := ioutil.ReadAll(r.Body)
+	if err != nil && err != io.EOF {
+		log.LogErrorf("createBucketHandler: read request body fail: requestID(%v) err(%v)", GetRequestID(r), err)
+		return
+	}
 
-		createBucketRequest := &CreateBucketRequest{}
-		err = UnmarshalXMLEntity(requestBytes, createBucketRequest)
-		if err != nil {
-			log.LogErrorf("createBucketHandler: unmarshal xml fail: requestID(%v) err(%v)",
-				GetRequestID(r), err)
-			errorCode = InvalidArgument
-			return
-		}
-		if createBucketRequest.LocationConstraint != o.region {
-			log.LogErrorf("createBucketHandler: location constraint not match the service: requestID(%v) LocationConstraint(%v) region(%v)",
-				GetRequestID(r), createBucketRequest.LocationConstraint, o.region)
-			errorCode = InvalidLocationConstraint
-			return
-		}
+	createBucketRequest := &CreateBucketRequest{}
+	err = UnmarshalXMLEntity(requestBytes, createBucketRequest)
+	if err != nil {
+		log.LogErrorf("createBucketHandler: unmarshal xml fail: requestID(%v) err(%v)",
+			GetRequestID(r), err)
+		errorCode = InvalidArgument
+		return
+	}
+	if createBucketRequest.LocationConstraint != o.region {
+		log.LogErrorf("createBucketHandler: location constraint not match the service: requestID(%v) LocationConstraint(%v) region(%v)",
+			GetRequestID(r), createBucketRequest.LocationConstraint, o.region)
+		errorCode = InvalidLocationConstraint
+		return
 	}
 
 	var acl *AccessControlPolicy
@@ -397,6 +395,10 @@ func (o *ObjectNode) putBucketTaggingHandler(w http.ResponseWriter, r *http.Requ
 	}
 	defer rateLimit.ReleaseLimitResource(vol.owner, param.apiName)
 
+	_, errorCode = VerifyContentLength(r, BodyLimit)
+	if errorCode != nil {
+		return
+	}
 	var body []byte
 	if body, err = ioutil.ReadAll(r.Body); err != nil {
 		log.LogErrorf("putBucketTaggingHandler: read request body data fail: requestID(%v) err(%v)",

objectnode/api_handler_multipart.go

@@ -651,8 +651,11 @@ func (o *ObjectNode) completeMultipartUploadHandler(w http.ResponseWriter, r *ht
 	defer rateLimit.ReleaseLimitResource(vol.owner, param.apiName)
 
 	// get uploaded part info in request
-	var requestBytes []byte
-	requestBytes, err = ioutil.ReadAll(r.Body)
+	_, errorCode = VerifyContentLength(r, BodyLimit)
+	if errorCode != nil {
+		return
+	}
+	requestBytes, err := ioutil.ReadAll(r.Body)
 	if err != nil && err != io.EOF {
 		log.LogErrorf("completeMultipartUploadHandler: read request body fail: requestID(%v) err(%v)",
 			GetRequestID(r), err)

objectnode/api_handler_object.go

@@ -557,8 +557,11 @@ func (o *ObjectNode) deleteObjectsHandler(w http.ResponseWriter, r *http.Request
 		return
 	}
 
-	var bytes []byte
-	bytes, err = ioutil.ReadAll(r.Body)
+	_, errorCode = VerifyContentLength(r, BodyLimit)
+	if errorCode != nil {
+		return
+	}
+	bytes, err := ioutil.ReadAll(r.Body)
 	if err != nil {
 		log.LogErrorf("deleteObjectsHandler: read request body fail: requestID(%v) volume(%v) err(%v)",
 			GetRequestID(r), param.Bucket(), err)
@@ -1552,6 +1555,10 @@ func (o *ObjectNode) putObjectTaggingHandler(w http.ResponseWriter, r *http.Requ
 	}
 	defer rateLimit.ReleaseLimitResource(vol.owner, param.apiName)
 
+	_, errorCode = VerifyContentLength(r, BodyLimit)
+	if errorCode != nil {
+		return
+	}
 	var requestBody []byte
 	if requestBody, err = ioutil.ReadAll(r.Body); err != nil {
 		log.LogErrorf("putObjectTaggingHandler: read request body data fail: requestID(%v) err(%v)",
@@ -1660,6 +1667,10 @@ func (o *ObjectNode) putObjectXAttrHandler(w http.ResponseWriter, r *http.Reques
 	}
 	defer rateLimit.ReleaseLimitResource(vol.owner, param.apiName)
 
+	_, errorCode = VerifyContentLength(r, BodyLimit)
+	if errorCode != nil {
+		return
+	}
 	var requestBody []byte
 	if requestBody, err = ioutil.ReadAll(r.Body); err != nil {
 		errorCode = &ErrorCode{
@@ -1962,3 +1973,21 @@ func GetContentLength(r *http.Request) int64 {
 	}
 	return r.ContentLength
 }
+
+func VerifyContentLength(r *http.Request, bodyLimit int64) (int64, *ErrorCode) {
+	dcl := r.Header.Get(HeaderNameXAmzDecodedContentLength)
+	var length = r.ContentLength
+	if dcl != "" {
+		l, err := strconv.ParseInt(dcl, 10, 64)
+		if err == nil {
+			length = l
+		}
+	}
+	if length > bodyLimit {
+		return 0, EntityTooLarge
+	}
+	if length <= 0 {
+		return 0, MissingContentLength
+	}
+	return length, nil
+}

objectnode/const.go

@@ -133,6 +133,7 @@ const (
 	MaxParts       = 1000
 	MaxUploads     = 1000
 	SinglePutLimit = 5 * 1 << 30 // 5G
+	BodyLimit      = 1 << 20
 )
 
 const (

objectnode/lifecycle_handler.go

@@ -106,6 +106,10 @@ func (o *ObjectNode) putBucketLifecycleConfigurationHandler(w http.ResponseWrite
 		return
 	}
 
+	_, errorCode = VerifyContentLength(r, BodyLimit)
+	if errorCode != nil {
+		return
+	}
 	var requestBody []byte
 	if requestBody, err = ioutil.ReadAll(r.Body); err != nil && err != io.EOF {
 		log.LogErrorf("putBucketLifecycle failed: read request body data err: requestID(%v) err(%v)", GetRequestID(r), err)