-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit size of request bodies in Bytes
extractor
#1346
Conversation
.map_err(FailedToBufferBody::from_err)?; | ||
// update docs in `axum-core/src/extract/default_body_limit.rs` and | ||
// `axum/src/docs/extract.md` if this changes | ||
const DEFAULT_LIMIT: usize = 2_097_152; // 2 mb |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I picked 2mb because thats what actix-web uses for their Json
extractor.
If we do this, why not let the user configure the limit using |
Yeah we could do that. I did consider it but kinda wanted to this as minimal as possible and then add more stuff as we go. |
* Apply default limit to request body size * Support disabling the default limit * docs * changelog
For those who are already using |
Thanks for the quick answer.
and we read the body ourselves:
it seems that we don't need to disable the new layer for this handler. We are not relying on the |
Yes. That is also in the docs 😅
|
What version of axum-core is this in and has it been pushed? |
@DanielJoyce yes. See the changelog. |
Motivation
We recently received a report of a vulnerability in axum caused by
Bytes::from_request
callinghyper::body::into_bytes
directly without setting a limit. This meant if someone sent an infinite request body the server would attempt to buffer the whole thing in memory and eventually OOM.This also applies to extractors that calls
Bytes::from_request
internally likeString
,Json
, andForm
.Solution
I think the right move is to set a default limit on how much
Bytes::from_request
will consume. I don't think just documenting it is enough since users might not notice.This PR fixes it by wrapping the body in
http_body::Limited
before callinginto_bytes
. This can be disabled by adding the newDefaultBodyLimit::disable()
middleware. That sets a private extension whichBytes::from_request
looks for.Once this is merged I'll backport this to 0.5