chore: limit sl-volations header to around 8kb (stoplightio#2297)

.gitignore

@@ -25,4 +25,7 @@ cli-binaries
 # Stoplight Style Guides
 .stoplight/styleguide.json
 .stoplight/custom-functions
-.spectral.json
+.spectral.json
+
+# macOS
+.DS_Store

CHANGELOG.md

@@ -8,6 +8,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 # Unreleased
 
+- Limit the `sl-violations` response header to around 8kb. [#2297](https://github.com/stoplightio/prism/pull/2297)
+
 # 5.0.0 (2023.05.17)
 
 ## Changed

packages/http-server/src/server.ts

@@ -37,6 +37,27 @@ function addressInfoToString(addressInfo: AddressInfo | string | null) {
   return `http://${addressInfo.address}:${addressInfo.port}`;
 }
 
+type ValidationError = {
+  location: string[];
+  severity: string;
+  code: string | number | undefined;
+  message: string | undefined;
+};
+
+const MAX_SAFE_HEADER_LENGTH = 8 * 1024 - 100; // 8kb minus some
+function addViolationHeader(reply: ServerResponse, validationErrors: ValidationError[]) {
+  if (validationErrors.length === 0) {
+    return;
+  }
+
+  let value = JSON.stringify(validationErrors);
+  if (value.length > MAX_SAFE_HEADER_LENGTH) {
+    value = `Too many violations! ${value.substring(0, MAX_SAFE_HEADER_LENGTH)}`;
+  }
+
+  reply.setHeader('sl-violations', value);
+}
+
 function parseRequestBody(request: IncomingMessage) {
   // if no body provided then return null instead of empty string
   if (
@@ -99,7 +120,7 @@ export const createServer = (operations: IHttpOperation[], opts: IPrismHttpServe
         const inputOutputValidationErrors = inputValidationErrors.concat(outputValidationErrors);
 
         if (inputOutputValidationErrors.length > 0) {
-          reply.setHeader('sl-violations', JSON.stringify(inputOutputValidationErrors));
+          addViolationHeader(reply, inputOutputValidationErrors);
 
           const errorViolations = outputValidationErrors.filter(
             v => v.severity === DiagnosticSeverity[DiagnosticSeverity.Error]