From bfe2ef6bfae03444a232883fc7c449206cf3bee4 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Thu, 21 Feb 2019 17:19:16 +0100
Subject: Add request body limit

---
 server/helpers/requests.ts | 41 +++++++++++++++++++++++++++++++++++++----
 1 file changed, 37 insertions(+), 4 deletions(-)

(limited to 'server/helpers')

diff --git a/server/helpers/requests.ts b/server/helpers/requests.ts
index 5c6dc5e19..3762e4d3c 100644
--- a/server/helpers/requests.ts
+++ b/server/helpers/requests.ts
@@ -1,12 +1,14 @@
 import * as Bluebird from 'bluebird'
-import { createWriteStream } from 'fs-extra'
+import { createWriteStream, remove } from 'fs-extra'
 import * as request from 'request'
 import { ACTIVITY_PUB, CONFIG } from '../initializers'
 import { processImage } from './image-utils'
 import { join } from 'path'
+import { logger } from './logger'
 
 function doRequest <T> (
-  requestOptions: request.CoreOptions & request.UriOptions & { activityPub?: boolean }
+  requestOptions: request.CoreOptions & request.UriOptions & { activityPub?: boolean },
+  bodyKBLimit = 1000 // 1MB
 ): Bluebird<{ response: request.RequestResponse, body: T }> {
   if (requestOptions.activityPub === true) {
     if (!Array.isArray(requestOptions.headers)) requestOptions.headers = {}
@@ -15,16 +17,29 @@ function doRequest <T> (
 
   return new Bluebird<{ response: request.RequestResponse, body: T }>((res, rej) => {
     request(requestOptions, (err, response, body) => err ? rej(err) : res({ response, body }))
+      .on('data', onRequestDataLengthCheck(bodyKBLimit))
   })
 }
 
-function doRequestAndSaveToFile (requestOptions: request.CoreOptions & request.UriOptions, destPath: string) {
+function doRequestAndSaveToFile (
+  requestOptions: request.CoreOptions & request.UriOptions,
+  destPath: string,
+  bodyKBLimit = 10000 // 10MB
+) {
   return new Bluebird<void>((res, rej) => {
     const file = createWriteStream(destPath)
     file.on('finish', () => res())
 
     request(requestOptions)
-      .on('error', err => rej(err))
+      .on('data', onRequestDataLengthCheck(bodyKBLimit))
+      .on('error', err => {
+        file.close()
+
+        remove(destPath)
+          .catch(err => logger.error('Cannot remove %s after request failure.', destPath, { err }))
+
+        return rej(err)
+      })
       .pipe(file)
   })
 }
@@ -44,3 +59,21 @@ export {
   doRequestAndSaveToFile,
   downloadImage
 }
+
+// ---------------------------------------------------------------------------
+
+// Thanks to https://github.com/request/request/issues/2470#issuecomment-268929907 <3
+function onRequestDataLengthCheck (bodyKBLimit: number) {
+  let bufferLength = 0
+  const bytesLimit = bodyKBLimit * 1000
+
+  return function (chunk) {
+    bufferLength += chunk.length
+    if (bufferLength > bytesLimit) {
+      this.abort()
+
+      const error = new Error(`Response was too large - aborted after ${bytesLimit} bytes.`)
+      this.emit('error', error)
+    }
+  }
+}
-- 
cgit v1.2.3