fix: cap request body size at 1 MiB#448
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughSummary by CodeRabbit
WalkthroughThis PR adds request body size limiting to the API via middleware. A new Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 golangci-lint (2.12.2)Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions Comment |
…-body-size-limit-gotrue
…-body-size-limit-gotrue
…-body-size-limit-gotrue
…-body-size-limit-gotrue
…-body-size-limit-gotrue
- Summary
Handlers read
r.Bodywith no upper bound, so a multi-gigabyte body would buffer in memory. This adds alimitBodySizemiddleware that wraps every body inhttp.MaxBytesReaderwith a 1 MiB cap, applied right afterchi/middleware.RealIPso every route inherits the limit. We useMaxBytesReaderrather thanio.LimitReaderbecause the former returns a clean error when the cap is hit, while the latter silently truncates and would corrupt JSON mid-parse.- Test plan
- Description for the changelog
Cap incoming request bodies at 1 MiB.
- A picture of a cute animal (not mandatory but encouraged)