RequestSize filter only works when client sends Content-Length header

[jespersm]

Describe the bug In the case of a client doesn't send the Content-Length header in advance, the gateway's RequestSize filter doesn't actually filter for the request body size, and the full request body is sent to the proxied server.

This could easily happen if the client uses HTTP/2 or even HTTP/1.1 with Content-Encoding: chunked, in which case the Content-Length header is not required, and should not be sent.

This is unexpected, compared to the documentation, which doesn't mention that only the the header is checked.

Sample

This test case shows the problem (will fail):

package org.springframework.cloud.gateway.filter.factory;

/// ...
@SpringBootTest(webEnvironment = RANDOM_PORT)
@DirtiesContext
public class RequestSizeGatewayFilterFactoryTest extends BaseWebClientTests {

        // ...

	@Test
	public void setRequestSizeFilterWorksForStreams() {
		testClient.post()
				.uri("/post")
				.header("Host", "www.setrequestsize.org")
				.bodyValue(
                                    new InputStreamResource(
                                         new ByteArrayInputStream("123456".getBytes())))
				.exchange()
				.expectStatus()
				.isEqualTo(HttpStatus.PAYLOAD_TOO_LARGE)
				.expectHeader()
				.valueMatches("errorMessage", responseMesssage);
	}

        // ...
}

Expected behaviour The gateway filter should wrap the request body flux, count the bytes passed through, and return an error response in case of a request body exceeding the set size. Ideally the request against the proxied service should be dropped (if committed).

[spencergibb]

We should change the documentation then. What you are asking for is an enhancement, not a bug fix

[jespersm]

Fair. I'll attempt a wording of this, then.

[jespersm]

I was wavering between NOTE and WARNING but chose the latter to reflect that people might be relying on this as a security feature to protect resource consumption on the proxied servers.

[jespersm]

I submitted a PR for this.