Limit max request size

Question

Limit max request size

Kludex opened this issue a year ago · comments

Marcelo Trylesinski commented a year ago

Discussed in #1516

^{Originally posted by aviramha April 5, 2020}
As discussed in the Gitter, my opinion is that starlette should provide a default limit for request size.
The main reason is that without it, any Starlette application is vulnerable to very easy DoS.
For example, newbie me can write a program as follows:

from starlette.requests import Request
from starlette.responses import Response


async def app(scope, receive, send):
    assert scope['type'] == 'http'
    request = Request(scope, receive)
    body = b''
    json = await request.json()
    response = Response(body, media_type='text/plain')
    await response(scope, receive, send)

As a malicious user, I could send a 30GB sized JSON and cause the memory to go OOM.
Other frameworks support this also - Django, Quart.
My proposal is to add a default limit which can be overrided in the app configuration.

Important

We're using Polar.sh so you can upvote and help fund this issue.
We receive the funding once the issue is completed & confirmed by you.
Thank you in advance for helping prioritize & fund our backlog.

Adrian Garcia Badaracco · Answer 1 · Fri May 26 2023 22:01:27 GMT+0800 (China Standard Time)

If we're going to make it a configurable middleware it might also make sense to have some sort of timeout for connections and each chunk, maybe infinite by default but definitely tunable.

Another thing to keep in mind is that this is likely something users want to control on a per-endpoint basis. That is, if I have an app that has an upload feature where I'm expecting 1GB files it's likely a single endpoint that expects 1GB files so I'd want to bump up the limits just for that endpoint. That makes me think that the best strategy may be a per-endpoint middleware w/ a companion middleware that just tweaks the config by changing it in scope. That would allow layering and overriding of these settings. This would be similar to #2026

Alex Oleshkevich · Answer 2 · Wed May 31 2023 17:51:26 GMT+0800 (China Standard Time)

This is a good one! I also agree that we need a global setting and per-route (Route + Mount).
Use case: global limit - 1mb, photo upload endpoint - 10mb limit.

We can add max_body_size to request.form(), request.json(), and request.stream() functions.

Marcelo Trylesinski · Answer 3 · Sat Jun 24 2023 19:18:24 GMT+0800 (China Standard Time)

Why should the ASGI application be the one to set this instead of the server?

Alex Oleshkevich · Answer 4 · Sat Jun 24 2023 21:05:55 GMT+0800 (China Standard Time)

Why should the ASGI application be the one to set this instead of the server?

Example: global POST limit is 1mb, for selected endpoints that upload files - 100mb.
Setting this at the server level is global and leaves no chance to override it.

Aber · Answer 5 · Mon Nov 06 2023 14:55:52 GMT+0800 (China Standard Time)

Adding a LimitRequestSizeMiddleware is the simplest and forward-compatible way.

Marcelo Trylesinski · Answer 6 · Tue Nov 07 2023 01:04:05 GMT+0800 (China Standard Time)

Adding a LimitRequestSizeMiddleware is the simplest and forward-compatible way.

Yeah. Shall we follow this path?

Adrian Garcia Badaracco · Answer 7 · Tue Nov 07 2023 01:05:51 GMT+0800 (China Standard Time)

Yes I think someone should make a PR and we can discuss the details (override vs. min/max, should there be a default, etc.) there.

Adrian Garcia Badaracco · Answer 8 · Wed Nov 08 2023 23:18:10 GMT+0800 (China Standard Time)

Yes I think someone should make a PR

I am someone, I made a PR 😆 : #2328