Request body handling can cause high memory usage

[PatrickTaibel]

Branch/Environment/Version

• Branch/Version: master
• Environment: On-prem

Describe the bug Tyk API Gateway reads any request body without limitation into memory. Without some kind of load balancer or proxy in front to limit the request body size this can easily lead to out of memory conditions with large incoming requests. Especially as it seems that the request body is duplicated in memory multiple times.

Reproduction steps Steps to reproduce the behavior:

1. Add any API endpoint.
2. Do a POST request with either a large file as Multipart Upload or generate a request with a large body (e.g. 3 GB)

Actual behavior Tyk API Gateway copies the full request body multiple times into memory. It not only stores the request body in full once but depending on the used middlewares multiple times. In my test setup I could easily exceed 32 GB of memory with a file upload of a 3 GB ISO.

Expected behavior

• There should be at least a configurable request body size limit available to restrict incoming requests and prevent out-of-memory situations (I will create a pull request for such a feature).
• In general, request body handling could be improved:
  • Is it really necessary to read the whole body first when handling a request? In case no middleware needs to read it, the body could be forwarded without fully reading it into memory.
  • Caching/Reusing the request body should work without duplicating the memory usage multiple times. At the moment the request body reader gets replaced by a re-readable reader. Every middleware that accesses the body (e.g. JavaScript middlewares) create a duplicate copy while reading which needs to be cleaned up by garbage collection later.