mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-06-28 00:24:19 +00:00
n0ctal
71616b7cf2
* feat(web): cap request body size on state-changing routes * fix(web): exempt importDB from request body size cap The 10 MiB body cap was applied globally, which would break database restore (/panel/api/server/importDB) on any panel whose SQLite backup exceeds the limit. Make MaxBodyBytes accept exempt path suffixes and pass importDB through uncapped; the cap still covers all other state-changing routes. Add a test for the skip-suffix behavior. --------- Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com>
44 lines
1.4 KiB
Go
44 lines
1.4 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// MaxBodyBytes caps the request body size for state-changing requests. It wraps
|
|
// the body in an http.MaxBytesReader so that any handler reading it (gin's
|
|
// ShouldBind, manual io.ReadAll, etc.) receives an error once the limit is
|
|
// exceeded, which the existing bind-failure path reports as a 400 rather than
|
|
// allocating an unbounded buffer or starting a long DB transaction.
|
|
//
|
|
// Methods without a body (GET/HEAD/OPTIONS/TRACE) and a non-positive limit are
|
|
// passed through untouched. Paths ending in one of skipSuffixes are also passed
|
|
// through uncapped — these are routes that legitimately accept a large upload
|
|
// (e.g. database restore, which streams a multi-MiB SQLite file).
|
|
func MaxBodyBytes(limit int64, skipSuffixes ...string) gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
if limit > 0 {
|
|
switch c.Request.Method {
|
|
case http.MethodGet, http.MethodHead, http.MethodOptions, http.MethodTrace:
|
|
default:
|
|
if c.Request.Body != nil && !hasSuffix(c.Request.URL.Path, skipSuffixes) {
|
|
c.Request.Body = http.MaxBytesReader(c.Writer, c.Request.Body, limit)
|
|
}
|
|
}
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
// hasSuffix reports whether path ends in any of the given suffixes.
|
|
func hasSuffix(path string, suffixes []string) bool {
|
|
for _, s := range suffixes {
|
|
if strings.HasSuffix(path, s) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|