Crow icon indicating copy to clipboard operation
Crow copied to clipboard

Request Size Limit

Open beached opened this issue 4 years ago • 5 comments

I have read through the docs, mostly app and middleware, but I cannot figure out how to set the request size limit. Or if it doesn't let one set that, it seems like a potential DoS and this becomes a request for feature.

beached avatar Apr 09 '22 17:04 beached

As far as I recall, Crow's parser only has a limit for the size of headers (the entire request except the body to be specific), which can be set via -DCROW_HTTP_MAX_HEADER_SIZE <value> and defaults to 80 * 1024 bytes. Would it be a good idea to limit the body size as well? (Since the only processing that occurs on the body just makes sure that the content length is correct)

The-EDev avatar Apr 09 '22 17:04 The-EDev

The body is allocated locally and it takes time/memory. It would be great to have a per route limit or per app limit, but a definition is better than none too. Resource exhaustion can be an issue.

beached avatar Apr 09 '22 17:04 beached

I think a per app limit with a per route / blueprint override would be a good addition.

The-EDev avatar Apr 09 '22 17:04 The-EDev

The problem is that max_header_size is static and is used all over the http parser, which runs at first level - before the app, the router and any middleware.

To detect what route/blueprint we're requesting, we have to parse the http request first 😄 To then customize parsing the request... That means that parsing has to be done step by step.

The current parser is very hard to refactor, its actually even hard to read. I doubt this is doable in the foreseeable future😢

If you want your API to be safe, you can proxy request through a server like nginx and apache, where all settings can be tuned

dranikpg avatar Apr 13 '22 20:04 dranikpg

@dranikpg You raise a good point, getting the limit from the app would be possible, since the connection (which contains the app) runs before the parser.

But figuring out the BP or Route would require altering the parser (or at least the callbacks in the wrapper) to go through the routing process once the Method / URL.

I agree with you on the parser being difficult to deal with, but I've read through it, and even modified it. So if you need anything related to it let me know ;)

The-EDev avatar May 24 '22 16:05 The-EDev