satellite/console: GraphQL input length limitation. (#3045)

This commit is contained in:
Bogdan Artemenko 2019-09-20 20:40:26 +03:00 committed by GitHub
parent 1ed724b7a6
commit 69aa0c6cc4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 9 deletions

View File

@ -123,6 +123,7 @@ func NewServer(logger *zap.Logger, config Config, service *console.Service, mail
server.server = http.Server{ server.server = http.Server{
Handler: mux, Handler: mux,
MaxHeaderBytes: ContentLengthLimit.Int(),
} }
return &server return &server
@ -393,7 +394,7 @@ func (server *Server) grapqlHandler(w http.ResponseWriter, r *http.Request) {
w.Header().Set(contentType, applicationJSON) w.Header().Set(contentType, applicationJSON)
token := getToken(r) token := getToken(r)
query, err := getQuery(r) query, err := getQuery(w, r)
if err != nil { if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest) http.Error(w, err.Error(), http.StatusBadRequest)
return return

View File

@ -12,9 +12,13 @@ import (
"github.com/zeebo/errs" "github.com/zeebo/errs"
"storj.io/storj/internal/memory"
"storj.io/storj/satellite/console/consoleweb/consoleql" "storj.io/storj/satellite/console/consoleweb/consoleql"
) )
// ContentLengthLimit describes 4KB limit
const ContentLengthLimit = 4 * memory.KB
func init() { func init() {
err := mime.AddExtensionType(".ttf", "font/ttf") err := mime.AddExtensionType(".ttf", "font/ttf")
if err != nil { if err != nil {
@ -49,28 +53,29 @@ func getToken(req *http.Request) string {
} }
// getQuery retrieves graphql query from request // getQuery retrieves graphql query from request
func getQuery(req *http.Request) (query graphqlJSON, err error) { func getQuery(w http.ResponseWriter, req *http.Request) (query graphqlJSON, err error) {
switch req.Method { switch req.Method {
case http.MethodGet: case http.MethodGet:
query.Query = req.URL.Query().Get(consoleql.Query) query.Query = req.URL.Query().Get(consoleql.Query)
return query, nil return query, nil
case http.MethodPost: case http.MethodPost:
return queryPOST(req) return queryPOST(w, req)
default: default:
return query, errs.New("wrong http request type") return query, errs.New("wrong http request type")
} }
} }
// queryPOST retrieves graphql query from POST request // queryPOST retrieves graphql query from POST request
func queryPOST(req *http.Request) (query graphqlJSON, err error) { func queryPOST(w http.ResponseWriter, req *http.Request) (query graphqlJSON, err error) {
limitedReader := http.MaxBytesReader(w, req.Body, ContentLengthLimit.Int64())
switch typ := req.Header.Get(contentType); typ { switch typ := req.Header.Get(contentType); typ {
case applicationGraphql: case applicationGraphql:
body, err := ioutil.ReadAll(req.Body) body, err := ioutil.ReadAll(limitedReader)
query.Query = string(body) query.Query = string(body)
return query, errs.Combine(err, req.Body.Close()) return query, errs.Combine(err, limitedReader.Close())
case applicationJSON: case applicationJSON:
err := json.NewDecoder(req.Body).Decode(&query) err := json.NewDecoder(limitedReader).Decode(&query)
return query, errs.Combine(err, req.Body.Close()) return query, errs.Combine(err, limitedReader.Close())
default: default:
return query, errs.New("can't parse request body of type %s", typ) return query, errs.New("can't parse request body of type %s", typ)
} }