Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Limit max request size

See original GitHub issue

As discussed in the Gitter, my opinion is that starlette should provide a default limit for request size. The main reason is that without it, any Starlette application is vulnerable to very easy DoS. For example, newbie me can write a program as follows:

from starlette.requests import Request
from starlette.responses import Response


async def app(scope, receive, send):
    assert scope['type'] == 'http'
    request = Request(scope, receive)
    body = b''
    json = await request.json()
    response = Response(body, media_type='text/plain')
    await response(scope, receive, send)

As a malicious user, I could send a 30GB sized JSON and cause the memory to go OOM. Other frameworks support this also - Django, Quart. My proposal is to add a default limit which can be overrided in the app configuration.

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:13 (9 by maintainers)

Top GitHub Comments

3reactions

florimondmancacommented, Apr 5, 2020

As far as I intuitively agree with the relevance of supporting this in Starlette core, my two cents here…

My proposal is to add a default limit which can be overrided in the app configuration.

Would this be a kwarg on the Starlette class? I don’t think there’s precedent for this - everything else is provided as middleware (even security features such as CORS or trusted hosts). Also not sure this would be the most reusable API (whereas other frameworks would benefit from a public ASGI middleware).

So personally not sure we want a new config option, or just a middleware that’s documented as « you should really turn this on for production » (both in the middleware docs and any « deployment » docs).

1reaction

gnatcommented, Sep 25, 2021

For those following this, even behind nginx, I’ve realised there’s a number of ways to run denial of service on Starlette which can be mitigated with a simple timeout middleware. I recommend a dual solution of setting up nginx client_max_body_size, and using a Starlette middleware.

For nginx, you need to set client_max_body_size to limit total body size (and in turn, file uploads). For example, to limit to 100 MB, your core http config block should look like:

http {
    client_max_body_size 100m;
    # ... other stuff ...
}

As for Starlette itself, a timeout middleware can serve as a “catch all” solution for large file uploads and long running queries. Sample middleware here: https://github.com/tiangolo/fastapi/issues/1752#issuecomment-682579845

from starlette.middleware.base import BaseHTTPMiddleware
from starlette.responses import HTMLResponse
import asyncio

class TimeoutMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request, call_next):
        try:
            response = await asyncio.wait_for(call_next(request), timeout=30)
        except asyncio.TimeoutError:
            return HTMLResponse("Request reached timeout.", status_code=504)
        return response

Timeout middleware seems to free the memory used by the attempted file upload as well.

Any additional thoughts, suggestions appreciated! We all want to achieve the goal of making our Starlette Apps more robust.

Top Results From Across the Web

Can HTTP POST be limitless? - Stack Overflow

The POST method allows sending far more data than the GET method, which is limited by the URL length - about 2KB. The...

Is there a maximum size for content of an HTTP POST?

The HTTP specification doesn't impose a specific size limit for posts. They will usually be limited by either the web server or the...

How to set maximum / acceptable http request post size - IBM

The default value of the HTTP and HTTPS connector maximum post size is 2MB. However you can adjust the value as per your...

What is the maximum length of an HTTP POST request? - Quora

Well the documentation shows that there is no limit to size however it is often limited by the servers. The POST request can...

request-size-limit - MATLAB Production Server - MathWorks

request-size-limit specifies the maximum size of a request. The default request size is 64 MB. The maximum allowed request size is 2,147,483,647 bytes, ......