Add a config option to limit request body size

[andrew4699]

Description

Adds a config option to limit the request body size. This is useful to prevent DoS-style attacks before the request moves further through the request handlers.

Type of change

• New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

• Added an integration test
• Existing tests work
• Ran Polaris with no limit, a small limit, and a high limit, and verified that the behavior was as expected

Checklist:

Please delete options that are not relevant.

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• If adding new functionality, I have discussed my implementation with the community using the linked GitHub issue

[flyrain]

I think it should have a default value.

[flyrain]

Checking a bit more about class StreamReadConstraints. -1 is the right default value, which means no limit.

        public Builder maxDocumentLength(long maxDocLen) {
            if (maxDocLen <= 0L) {
                maxDocLen = -1L;
            }

            this.maxDocLen = maxDocLen;
            return this;
        }

[andrew4699]

Thank you for pulling this up, this actually makes me more strongly interested in 0. Please see my new comment below.

[eric-maynard]

I also find 0-as-unlimited a little confusing. I agree that if we make the default -1 it might imply that 0 is different from -1, but I also think a default of 0 is going to raise some questions.

Maybe we should just disallow 0, since StreamReadConstraints doesn't support what 0 would intuitively mean ("reject all requests")

[sfc-gh-aixu]

From the code from StreamReadConstraints, that means both 0 and -1 are considered no limits. But I think it does make sense to have -1 for unlimited and disallow 0.

[andrew4699]

Ok I updated it to default to -1, explained what -1 is, and restricted 0 with an exception/useful comment. I agree that -1 is a better indicator of "no limit" and restricting 0 solves some ambiguity.

[andrew4699]

I agree with the reasons for wanting to make -1 the default value, but I'd like to offer a counterargument for why it may make sense to keep it at 0 in this case:

• As this comment shows, both 0 and -1 disable the limit. Listing -1 may falsely lead the user to believe that 0 is different.
• Default value compatibility across JSON/YAML serializers. With the default set to 0, you don't have to worry about whether your serialization library respects your default value nor what it does with unspecified fields.

[flyrain]

I'm fine with either -1 or 0. My main concern with using 0 is that there is a chance that it might be misunderstood as a valid limit rather than indicating "no limit." In contrast, -1 is less ambiguous in this context. Additionally, I recommend defining a constant for clarity:

private static final long DOCUMENT_BYTES_NO_LIMIT = -1;

[eric-maynard]

1. This comment would ideally not be inline
2. Do we really want to call this maxDocumentBytes? What is a "Document" in the context of a Polaris instance?
3. Whatever we call it, we might put a small comment explaining what this is

[andrew4699]

Renamed to maxRequestBodyBytes and updated/moved the comment.

[andrew4699]

Just updated a couple of things:

• Renamed maxDocumentBytes to maxRequestBodyBytes
• Changed the default to -1 and made it throw an exception if you try to use 0, since the underlying implementation treats 0 and -1 as the same and we don't want to trick the user into thinking 0 actually does something different
• Improved comments in the config
• Added an additional test validating that there's already an existing limit on total header size

[eric-maynard]

nit: "maxRequestBodyBytes must be a positive integer or %d to specify no limit."

[andrew4699]

Updated

[eric-maynard]

nit: Maybe we should constrain this to a positive integer or -1 while we're at it

[andrew4699]

Updated to restrict all but -1

[flyrain]

LGTM with one minor question.

[flyrain]

Should we consider throwing an exception when the configured value for maxRequestBodyBytes is less than -1 (e.g., -2, -100)? While the underlying library can technically handle these values, I believe we should restrict any negative number except for -1, which is already treated as "unlimited." This is consistent with our approach of throwing an exception for a value of 0.

[andrew4699]

Updated to restrict all but -1

[eric-maynard]

LGTM with some optional nits. Thanks for the change!

[snazy]

Error is a name from java.lang - can you choose something different here?

[andrew4699]

Updated

[eric-maynard]

nit: This formatting looks a bit odd. Can it be 2 lines?

[andrew4699]

Updated.

I've just been letting spotless take the wheel with these, but I guess it's ok with either style? We should probably update it to prefer a single format if possible.

[flyrain]

+1 with a minor suggestion

[flyrain]

minor suggestion:

Preconditions.checkArgument(condition, message);

[flyrain]

Thanks @andrew4699 for working on this. Thanks @snazy @eric-maynard for the review.