Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Respond with status code 413 if request body is too large #6936

Merged
merged 5 commits into from
Sep 21, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changeset/five-tools-arrive.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
"@sveltejs/adapter-node": patch
"@sveltejs/adapter-vercel": patch
"@sveltejs/kit": patch
---

Redact error message if `getRequest` fails
5 changes: 5 additions & 0 deletions .changeset/strong-baboons-travel.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"@sveltejs/kit": patch
---

Respond with 413 if request body is too large
2 changes: 1 addition & 1 deletion packages/adapter-node/src/handler.js
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ const ssr = async (req, res) => {
});
} catch (err) {
res.statusCode = err.status || 400;
res.end(err.reason || 'Invalid request body');
res.end('Invalid request body');
return;
}

Expand Down
2 changes: 1 addition & 1 deletion packages/adapter-vercel/files/serverless.js
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ export default async (req, res) => {
request = await getRequest({ base: `https://${req.headers.host}`, request: req });
} catch (err) {
res.statusCode = err.status || 400;
return res.end(err.reason || 'Invalid request body');
return res.end('Invalid request body');
}

setResponse(
Expand Down
11 changes: 8 additions & 3 deletions packages/kit/src/exports/node/index.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import * as set_cookie_parser from 'set-cookie-parser';
import { error } from '../index.js';

/**
* @param {import('http').IncomingMessage} req
Expand Down Expand Up @@ -27,7 +28,8 @@ function get_raw_body(req, body_size_limit) {
if (!length) {
length = body_size_limit;
} else if (length > body_size_limit) {
throw new Error(
throw error(
413,
`Received content-length of ${length}, but only accept up to ${body_size_limit} bytes.`
);
}
Expand All @@ -45,6 +47,7 @@ function get_raw_body(req, body_size_limit) {
return new ReadableStream({
start(controller) {
req.on('error', (error) => {
cancelled = true;
controller.error(error);
});

Expand All @@ -58,8 +61,10 @@ function get_raw_body(req, body_size_limit) {

size += chunk.length;
if (size > length) {
req.destroy(
new Error(
cancelled = true;
controller.error(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not well-versed with the details of this code section - could you explain briefly why this change is necessary?

Copy link
Contributor Author

@repsac-by repsac-by Sep 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This returns an error in the RequestHandler and from there the status code gets into the Response, otherwise the connection is simply terminated without a response. cancelled = true is needed so that controller.close() does not occur in the req.on('end', () => ...) because calling close() on a closed controller causes an unhandled exception.

error(
413,
`request body size exceeded ${
content_length ? "'content-length'" : 'BODY_SIZE_LIMIT'
} of ${length}`
Expand Down
2 changes: 1 addition & 1 deletion packages/kit/src/exports/vite/dev/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -397,7 +397,7 @@ export async function dev(vite, vite_config, svelte_config) {
});
} catch (/** @type {any} */ err) {
res.statusCode = err.status || 400;
return res.end(err.message || 'Invalid request body');
return res.end('Invalid request body');
}

const template = load_template(cwd, svelte_config);
Expand Down
2 changes: 1 addition & 1 deletion packages/kit/src/exports/vite/preview/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ export async function preview(vite, vite_config, svelte_config) {
});
} catch (/** @type {any} */ err) {
res.statusCode = err.status || 400;
return res.end(err.message || 'Invalid request body');
return res.end('Invalid request body');
}

setResponse(
Expand Down