reqwest icon indicating copy to clipboard operation
reqwest copied to clipboard
verified publisher icon seanmonstar

Add response size limit 2

Open finnbear opened this issue 2 years ago • 2 comments

Motivation

Allowing the server to send an arbitrarily large body creates a security vulnerability, namely memory exhaustion DoS.

Changes

  • Adds reponse_body_limit knob to requests
    • (my contribution) Enforces it at the Decoder level such that it applies to both all-at-once and streaming APIs
  • Adds a test case

Related

Fixes #1234

This PR is intended to supersede @tthebst's excellent PR #1532 by addressing the concern that the limit doesn't apply to streaming API's.

finnbear avatar May 26 '23 05:05 finnbear

Hey I'm just trying to call attention to this PR. I don't have all the context, but it looks functional and even includes tests – is there any chance this could be merged?

ein-tier avatar Oct 02 '23 13:10 ein-tier

This would be fantastic to have in reqwest! Hope it gets a review soon

kellpossible avatar Nov 22 '23 12:11 kellpossible