Add support for completely disabling multipart request handling #66
Conversation
|
Documentation PR: adonisjs/v6-docs#191 |
| throw new Exception('request content-type not supported', { | ||
| status: 415, | ||
| code: 'E_REQUEST_UNSUPPORTED_MEDIA_TYPE', | ||
| }) |
There was a problem hiding this comment.
Wouldn't it be better to create a custom exception class for this and expose it via an errors export, like the @adonisjs/auth package?
That way, people can use instanceof errors.... in an error handler.
However, this would require new documentation for the new exception type...
There was a problem hiding this comment.
I followed the pattern already in use here: https://github.com/adonisjs/bodyparser/blob/develop/src/bodyparser_middleware.ts#L72-L89
|
A fundamental question. Should this change be specific to multipart requests? Or should it be that the bodyparser will throw error when an unsupported content-type is sent in the request? For example: I make a request with |
This is really specific to multipart requests, because in order to process them, you end up writing temporary files to disk. That's a great vector for a denial of service attack if those files aren't consumed. Whilst yes, you could have an acceptedContentTypes option, I would consider that a different feature because it doesn't solve the same problem. Many services never need to accept multipart requests, especially with micro/small services. |
Writing files to disk can be avoided by simply not processing the multipart files using I believe, we should not add too many ways to achieve the same outcome. Ideally, I would want BodyParser as a whole to disallow requests for unsupported types vs just multipart disallowing requests. The solution can be achieved by not introducing any additional fields. We can collect all the supported types by concatenating the |
|
This pull request has been marked as stale because it has been inactive for more than 21 days. Please reopen if you still intend to submit this pull request |
thetutlage
added
Type: Enhancement
This still leaves the requests hanging open, which is an attack surface (resource exhaustion) as far as I know. I'm not sure this |
Do you have an example where the request stays open? I tried it right now and the response was sent and no body was parsed at all (infact no attempt to read the stream was made). |
|
This pull request has been marked as stale because it has been inactive for more than 21 days. Please reopen if you still intend to submit this pull request |
|
This pull request has been marked as stale because it has been inactive for more than 21 days. Please reopen if you still intend to submit this pull request |
|
This pull request has been marked as stale because it has been inactive for more than 21 days. Please reopen if you still intend to submit this pull request |
|
This pull request has been marked as stale because it has been inactive for more than 21 days. Please reopen if you still intend to submit this pull request |
RomainLanz
added
Status: On Hold
|
This pull request has been marked as stale because it has been inactive for more than 21 days. Please reopen if you still intend to submit this pull request |
|
This pull request has been marked as stale because it has been inactive for more than 21 days. Please reopen if you still intend to submit this pull request |
|
This pull request has been marked as stale because it has been inactive for more than 21 days. Please reopen if you still intend to submit this pull request |
|
This pull request has been marked as stale because it has been inactive for more than 21 days. Please reopen if you still intend to submit this pull request |
|
This pull request has been marked as stale because it has been inactive for more than 21 days. Please reopen if you still intend to submit this pull request |
|
This pull request has been marked as stale because it has been inactive for more than 21 days. Please reopen if you still intend to submit this pull request |
|
This pull request has been marked as stale because it has been inactive for more than 21 days. Please reopen if you still intend to submit this pull request |
4 participants
As discussed on discord, by the multipart request handling always being enabled, there can be security implications. This adds a
multipart.enabledoption, which defaults totrue, which allows disabling handling for multipart requests.If
multipart.enabled === falsethen a multipart request is rejected immediately with a HTTP 514 UNSUPPORTED_MEDIA_TYPE response. As mentioned in that documentation, we could also set theAccept-Post/Accept-Patchheader to indicate which content-types are supported by the server, however, this would need something specific inExceptionclass from poppins.🔗 Linked issue
Discussed with @thetutlage on discord today.
❓ Type of change
📚 Description
This allows people using Adonis Framework to improve the security of their servers by allowing them to completely disable multipart request handling. Previously you needed a custom middleware to handle this.
📝 Checklist