next.js icon indicating copy to clipboard operation
next.js copied to clipboard
Published 1 week ago verified publisher icon vercel

Fix missing body size limits in Server Action handler

Open shuding opened this issue 1 year ago • 2 comments

There is one place where we use busboy to parse the request body and we are not setting its size limits.

The fix is similar to what https://github.com/vercel/next.js/issues/59277#issuecomment-1867445275 suggested (thanks @TryingToImprove). Need to add a test case for it before shipping.

Closes #59277.

Closes NEXT-2314

shuding avatar Jan 31 '24 17:01 shuding

Stats from current PR

Default Build
General Overall increase ⚠️
vercel/next.js canary vercel/next.js shu/72b4 Change
buildDuration 11.7s 11.7s N/A
buildDurationCached 6.2s 5.3s N/A
nodeModulesSize 200 MB 200 MB ⚠️ +9.98 kB
nextStartRea..uration (ms) 426ms 431ms N/A
Client Bundles (main, webpack)
vercel/next.js canary vercel/next.js shu/72b4 Change
3f784ff6-HASH.js gzip 53.4 kB 53.4 kB
423.HASH.js gzip 185 B 181 B N/A
68-HASH.js gzip 29.9 kB 29.9 kB N/A
framework-HASH.js gzip 45.2 kB 45.2 kB
main-app-HASH.js gzip 238 B 240 B N/A
main-HASH.js gzip 31.8 kB 31.8 kB N/A
webpack-HASH.js gzip 1.7 kB 1.7 kB
Overall change 100 kB 100 kB
Legacy Client Bundles (polyfills)
vercel/next.js canary vercel/next.js shu/72b4 Change
polyfills-HASH.js gzip 31 kB 31 kB
Overall change 31 kB 31 kB
Client Pages
vercel/next.js canary vercel/next.js shu/72b4 Change
_app-HASH.js gzip 194 B 195 B N/A
_error-HASH.js gzip 182 B 181 B N/A
amp-HASH.js gzip 502 B 502 B
css-HASH.js gzip 320 B 322 B N/A
dynamic-HASH.js gzip 2.5 kB 2.5 kB N/A
edge-ssr-HASH.js gzip 255 B 256 B N/A
head-HASH.js gzip 350 B 349 B N/A
hooks-HASH.js gzip 368 B 369 B N/A
image-HASH.js gzip 4.18 kB 4.18 kB N/A
index-HASH.js gzip 257 B 256 B N/A
link-HASH.js gzip 2.61 kB 2.61 kB N/A
routerDirect..HASH.js gzip 310 B 311 B N/A
script-HASH.js gzip 384 B 383 B N/A
withRouter-HASH.js gzip 306 B 308 B N/A
1afbb74e6ecf..834.css gzip 106 B 106 B
Overall change 608 B 608 B
Client Build Manifests
vercel/next.js canary vercel/next.js shu/72b4 Change
_buildManifest.js gzip 484 B 484 B
Overall change 484 B 484 B
Rendered Page Sizes
vercel/next.js canary vercel/next.js shu/72b4 Change
index.html gzip 529 B 527 B N/A
link.html gzip 542 B 541 B N/A
withRouter.html gzip 523 B 523 B
Overall change 523 B 523 B
Edge SSR bundle Size
vercel/next.js canary vercel/next.js shu/72b4 Change
edge-ssr.js gzip 94 kB 94 kB N/A
page.js gzip 150 kB 150 kB N/A
Overall change 0 B 0 B
Middleware size
vercel/next.js canary vercel/next.js shu/72b4 Change
middleware-b..fest.js gzip 623 B 623 B
middleware-r..fest.js gzip 151 B 149 B N/A
middleware.js gzip 37.6 kB 37.6 kB N/A
edge-runtime..pack.js gzip 1.92 kB 1.92 kB
Overall change 2.55 kB 2.55 kB
Next Runtimes
vercel/next.js canary vercel/next.js shu/72b4 Change
app-page-exp...dev.js gzip 170 kB 170 kB N/A
app-page-exp..prod.js gzip 95.8 kB 95.8 kB N/A
app-page-tur..prod.js gzip 96.4 kB 96.5 kB N/A
app-page-tur..prod.js gzip 91 kB 91 kB N/A
app-page.run...dev.js gzip 142 kB 142 kB N/A
app-page.run..prod.js gzip 90.3 kB 90.4 kB N/A
app-route-ex...dev.js gzip 22.2 kB 22.2 kB
app-route-ex..prod.js gzip 14.9 kB 14.9 kB
app-route-tu..prod.js gzip 14.9 kB 14.9 kB
app-route-tu..prod.js gzip 14.5 kB 14.5 kB
app-route.ru...dev.js gzip 21.7 kB 21.7 kB
app-route.ru..prod.js gzip 14.5 kB 14.5 kB
pages-api-tu..prod.js gzip 9.43 kB 9.43 kB
pages-api.ru...dev.js gzip 9.7 kB 9.7 kB
pages-api.ru..prod.js gzip 9.43 kB 9.43 kB
pages-turbo...prod.js gzip 22 kB 22 kB
pages.runtim...dev.js gzip 22.7 kB 22.7 kB
pages.runtim..prod.js gzip 22 kB 22 kB
server.runti..prod.js gzip 49.7 kB 49.7 kB
Overall change 248 kB 248 kB
Diff details
Diff for app-page-exp..ntime.dev.js

Diff too large to display

Diff for app-page-exp..time.prod.js

Diff too large to display

Diff for app-page-tur..time.prod.js

Diff too large to display

Diff for app-page-tur..time.prod.js

Diff too large to display

Diff for app-page.runtime.dev.js

Diff too large to display

Diff for app-page.runtime.prod.js

Diff too large to display

Commit: e2a575f60ab4a24b6788b33e060583e103100494

ijjk avatar Jan 31 '24 17:01 ijjk

I have a test cases here: https://github.com/vercel/next.js/pull/59877/files which might be possible to use.

There are still an mismatch with fieldSize vs. bodySize. With both this and my suggestion it would be possible post a form which exceeds the bodySizeLimit since each field can have the size specified in bodySizeLimit.

With something like this:

<form>
 <input type="text" value={'a' * bodySizeLimit} name="x" />
  <input type="text" value={'b' * bodySizeLimit} name="y" />
</form>

it will be able to submit, but it should not since the total size of the post body is exceeding the limit set in bodySizeLimit.

Without a change in busboy I am worried that something like this:

<form>
  {Array.from(new Array(99999)).map((x, i) =>  <input type="text" value={'a' * bodySizeLimit} name={'x'+i} />}
</form>

would be possible with no way of stopping it, since busboy will read the entire thing

TryingToImprove avatar Jan 31 '24 18:01 TryingToImprove

When can this be merged? This bug prevent me from deployment.

IVEN21 avatar Mar 13 '24 19:03 IVEN21