ParamsParser size sanity check

Currently there’s no way to prevent ActionDispatch::ParamsParser from attempting to parse insanely large request bodies (that have been permitted by the web server for whatever reason) that doesn’t rely on accessing a private Rails API in some fashion.

It’s possible to do this by inserting middleware before the ParamsParser, and trying to reconstruct the conditions it checks for before parsing (content-length, looking up a parser for that mime-type) including a size check; alternatively you can swap it out in the middleware stack with itself, but with a custom hash of mime-type parsers and reconstruct what the default JSON one does after a size check.

However, both the conditions that it checks for before parsing as well as the implementation of the default JSON parser change between Rails versions.

I’d like to propose an opt-in public API for allowing ParamsParser to perform a check on the request body bytesize before continuing to parse. This seems generally useful to me, and would allow my monkey patch to mimic a future public API on our upgrade path, even if that patch’s implementation would have to change as we pursue it to stay compatible with interim versions.

The PR for this would be pretty trivial: determine a configuration vector to read the maximum bytesize from, check if the max is set before parsing, and if so read/rewind the response body IO object and abort with a 413 if it exceeds the max. With a little guidance, I’ll happily put it together, with tests.

The questions preventing me from doing so are: where should the configuration live, and should the max size be configurable per parser? And, of course, would such a PR be considered if submitted?


Chris Keele