From 737160d88cd96323eeac317ed08b4f0d6d83c482 Mon Sep 17 00:00:00 2001 From: repsac Date: Wed, 21 Sep 2022 19:44:24 +0300 Subject: [PATCH] Respond with status code 413 if request body is too large (#6936) * Respond with status code 413 if request body is too large * Use the error method * Prevent arbitrary error messages from reaching users * Create strong-baboons-travel.md * Create five-tools-arrive.md Co-authored-by: Rich Harris --- .changeset/five-tools-arrive.md | 7 +++++++ .changeset/strong-baboons-travel.md | 5 +++++ packages/adapter-node/src/handler.js | 2 +- packages/adapter-vercel/files/serverless.js | 2 +- packages/kit/src/exports/node/index.js | 11 ++++++++--- packages/kit/src/exports/vite/dev/index.js | 2 +- packages/kit/src/exports/vite/preview/index.js | 2 +- 7 files changed, 24 insertions(+), 7 deletions(-) create mode 100644 .changeset/five-tools-arrive.md create mode 100644 .changeset/strong-baboons-travel.md diff --git a/.changeset/five-tools-arrive.md b/.changeset/five-tools-arrive.md new file mode 100644 index 000000000000..139d51a0ef8a --- /dev/null +++ b/.changeset/five-tools-arrive.md @@ -0,0 +1,7 @@ +--- +"@sveltejs/adapter-node": patch +"@sveltejs/adapter-vercel": patch +"@sveltejs/kit": patch +--- + +Redact error message if `getRequest` fails diff --git a/.changeset/strong-baboons-travel.md b/.changeset/strong-baboons-travel.md new file mode 100644 index 000000000000..b25d4617647b --- /dev/null +++ b/.changeset/strong-baboons-travel.md @@ -0,0 +1,5 @@ +--- +"@sveltejs/kit": patch +--- + +Respond with 413 if request body is too large diff --git a/packages/adapter-node/src/handler.js b/packages/adapter-node/src/handler.js index 94f331f57ccb..7177e836bf75 100644 --- a/packages/adapter-node/src/handler.js +++ b/packages/adapter-node/src/handler.js @@ -56,7 +56,7 @@ const ssr = async (req, res) => { }); } catch (err) { res.statusCode = err.status || 400; - res.end(err.reason || 'Invalid request body'); + res.end('Invalid request body'); return; } diff --git a/packages/adapter-vercel/files/serverless.js b/packages/adapter-vercel/files/serverless.js index 36fbae4c7799..25db646beefc 100644 --- a/packages/adapter-vercel/files/serverless.js +++ b/packages/adapter-vercel/files/serverless.js @@ -23,7 +23,7 @@ export default async (req, res) => { request = await getRequest({ base: `https://${req.headers.host}`, request: req }); } catch (err) { res.statusCode = err.status || 400; - return res.end(err.reason || 'Invalid request body'); + return res.end('Invalid request body'); } setResponse( diff --git a/packages/kit/src/exports/node/index.js b/packages/kit/src/exports/node/index.js index b73c5c91b421..67b82e63f537 100644 --- a/packages/kit/src/exports/node/index.js +++ b/packages/kit/src/exports/node/index.js @@ -1,4 +1,5 @@ import * as set_cookie_parser from 'set-cookie-parser'; +import { error } from '../index.js'; /** * @param {import('http').IncomingMessage} req @@ -27,7 +28,8 @@ function get_raw_body(req, body_size_limit) { if (!length) { length = body_size_limit; } else if (length > body_size_limit) { - throw new Error( + throw error( + 413, `Received content-length of ${length}, but only accept up to ${body_size_limit} bytes.` ); } @@ -45,6 +47,7 @@ function get_raw_body(req, body_size_limit) { return new ReadableStream({ start(controller) { req.on('error', (error) => { + cancelled = true; controller.error(error); }); @@ -58,8 +61,10 @@ function get_raw_body(req, body_size_limit) { size += chunk.length; if (size > length) { - req.destroy( - new Error( + cancelled = true; + controller.error( + error( + 413, `request body size exceeded ${ content_length ? "'content-length'" : 'BODY_SIZE_LIMIT' } of ${length}` diff --git a/packages/kit/src/exports/vite/dev/index.js b/packages/kit/src/exports/vite/dev/index.js index f9aeb8f3b350..36e2fa0f248c 100644 --- a/packages/kit/src/exports/vite/dev/index.js +++ b/packages/kit/src/exports/vite/dev/index.js @@ -397,7 +397,7 @@ export async function dev(vite, vite_config, svelte_config) { }); } catch (/** @type {any} */ err) { res.statusCode = err.status || 400; - return res.end(err.message || 'Invalid request body'); + return res.end('Invalid request body'); } const template = load_template(cwd, svelte_config); diff --git a/packages/kit/src/exports/vite/preview/index.js b/packages/kit/src/exports/vite/preview/index.js index 55a59105b65f..0a24a0b9c932 100644 --- a/packages/kit/src/exports/vite/preview/index.js +++ b/packages/kit/src/exports/vite/preview/index.js @@ -137,7 +137,7 @@ export async function preview(vite, vite_config, svelte_config) { }); } catch (/** @type {any} */ err) { res.statusCode = err.status || 400; - return res.end(err.message || 'Invalid request body'); + return res.end('Invalid request body'); } setResponse(