Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix missing body size limits in Server Action handler #61462

Closed
wants to merge 1 commit into from
Closed

Fix missing body size limits in Server Action handler #61462

wants to merge 1 commit into from

Conversation

shuding
Copy link
Member

@shuding shuding commented Jan 31, 2024
edited by padmaia
Loading

There is one place where we use busboy to parse the request body and we are not setting its size limits.

The fix is similar to what #59277 (comment) suggested (thanks @TryingToImprove). Need to add a test case for it before shipping.

Closes #59277.

Closes NEXT-2314

@ijjk ijjk added created-by: Next.js team PRs by the Next.js team. type: next labels Jan 31, 2024
@ijjk
Copy link
Member

ijjk commented Jan 31, 2024

Stats from current PR

Default Build
General Overall increase ⚠️
vercel/next.js canary vercel/next.js shu/72b4 Change
buildDuration 11.7s 11.7s N/A
buildDurationCached 6.2s 5.3s N/A
nodeModulesSize 200 MB 200 MB ⚠️ +9.98 kB
nextStartRea..uration (ms) 426ms 431ms N/A
Client Bundles (main, webpack)
vercel/next.js canary vercel/next.js shu/72b4 Change
3f784ff6-HASH.js gzip 53.4 kB 53.4 kB
423.HASH.js gzip 185 B 181 B N/A
68-HASH.js gzip 29.9 kB 29.9 kB N/A
framework-HASH.js gzip 45.2 kB 45.2 kB
main-app-HASH.js gzip 238 B 240 B N/A
main-HASH.js gzip 31.8 kB 31.8 kB N/A
webpack-HASH.js gzip 1.7 kB 1.7 kB
Overall change 100 kB 100 kB
Legacy Client Bundles (polyfills)
vercel/next.js canary vercel/next.js shu/72b4 Change
polyfills-HASH.js gzip 31 kB 31 kB
Overall change 31 kB 31 kB
Client Pages
vercel/next.js canary vercel/next.js shu/72b4 Change
_app-HASH.js gzip 194 B 195 B N/A
_error-HASH.js gzip 182 B 181 B N/A
amp-HASH.js gzip 502 B 502 B
css-HASH.js gzip 320 B 322 B N/A
dynamic-HASH.js gzip 2.5 kB 2.5 kB N/A
edge-ssr-HASH.js gzip 255 B 256 B N/A
head-HASH.js gzip 350 B 349 B N/A
hooks-HASH.js gzip 368 B 369 B N/A
image-HASH.js gzip 4.18 kB 4.18 kB N/A
index-HASH.js gzip 257 B 256 B N/A
link-HASH.js gzip 2.61 kB 2.61 kB N/A
routerDirect..HASH.js gzip 310 B 311 B N/A
script-HASH.js gzip 384 B 383 B N/A
withRouter-HASH.js gzip 306 B 308 B N/A
1afbb74e6ecf..834.css gzip 106 B 106 B
Overall change 608 B 608 B
Client Build Manifests
vercel/next.js canary vercel/next.js shu/72b4 Change
_buildManifest.js gzip 484 B 484 B
Overall change 484 B 484 B
Rendered Page Sizes
vercel/next.js canary vercel/next.js shu/72b4 Change
index.html gzip 529 B 527 B N/A
link.html gzip 542 B 541 B N/A
withRouter.html gzip 523 B 523 B
Overall change 523 B 523 B
Edge SSR bundle Size
vercel/next.js canary vercel/next.js shu/72b4 Change
edge-ssr.js gzip 94 kB 94 kB N/A
page.js gzip 150 kB 150 kB N/A
Overall change 0 B 0 B
Middleware size
vercel/next.js canary vercel/next.js shu/72b4 Change
middleware-b..fest.js gzip 623 B 623 B
middleware-r..fest.js gzip 151 B 149 B N/A
middleware.js gzip 37.6 kB 37.6 kB N/A
edge-runtime..pack.js gzip 1.92 kB 1.92 kB
Overall change 2.55 kB 2.55 kB
Next Runtimes
vercel/next.js canary vercel/next.js shu/72b4 Change
app-page-exp...dev.js gzip 170 kB 170 kB N/A
app-page-exp..prod.js gzip 95.8 kB 95.8 kB N/A
app-page-tur..prod.js gzip 96.4 kB 96.5 kB N/A
app-page-tur..prod.js gzip 91 kB 91 kB N/A
app-page.run...dev.js gzip 142 kB 142 kB N/A
app-page.run..prod.js gzip 90.3 kB 90.4 kB N/A
app-route-ex...dev.js gzip 22.2 kB 22.2 kB
app-route-ex..prod.js gzip 14.9 kB 14.9 kB
app-route-tu..prod.js gzip 14.9 kB 14.9 kB
app-route-tu..prod.js gzip 14.5 kB 14.5 kB
app-route.ru...dev.js gzip 21.7 kB 21.7 kB
app-route.ru..prod.js gzip 14.5 kB 14.5 kB
pages-api-tu..prod.js gzip 9.43 kB 9.43 kB
pages-api.ru...dev.js gzip 9.7 kB 9.7 kB
pages-api.ru..prod.js gzip 9.43 kB 9.43 kB
pages-turbo...prod.js gzip 22 kB 22 kB
pages.runtim...dev.js gzip 22.7 kB 22.7 kB
pages.runtim..prod.js gzip 22 kB 22 kB
server.runti..prod.js gzip 49.7 kB 49.7 kB
Overall change 248 kB 248 kB
Diff details
Diff for app-page-exp..ntime.dev.js

Diff too large to display

Diff for app-page-exp..time.prod.js

Diff too large to display

Diff for app-page-tur..time.prod.js

Diff too large to display

Diff for app-page-tur..time.prod.js

Diff too large to display

Diff for app-page.runtime.dev.js

Diff too large to display

Diff for app-page.runtime.prod.js

Diff too large to display

Commit: e2a575f

@TryingToImprove
Copy link
Contributor

TryingToImprove commented Jan 31, 2024
edited
Loading

I have a test cases here: https://github.com/vercel/next.js/pull/59877/files which might be possible to use.

There are still an mismatch with fieldSize vs. bodySize. With both this and my suggestion it would be possible post a form which exceeds the bodySizeLimit since each field can have the size specified in bodySizeLimit.

With something like this:

<form>
 <input type="text" value={'a' * bodySizeLimit} name="x" />
  <input type="text" value={'b' * bodySizeLimit} name="y" />
</form>

it will be able to submit, but it should not since the total size of the post body is exceeding the limit set in bodySizeLimit.

Without a change in busboy I am worried that something like this:

<form>
  {Array.from(new Array(99999)).map((x, i) =>  <input type="text" value={'a' * bodySizeLimit} name={'x'+i} />}
</form>

would be possible with no way of stopping it, since busboy will read the entire thing

@IVEN21
Copy link

IVEN21 commented Mar 13, 2024

When can this be merged? This bug prevent me from deployment.

@shuding shuding mentioned this pull request Mar 18, 2024
Merged
2 tasks
@shuding shuding closed this in af5b31c Mar 18, 2024
@github-actions github-actions bot added the locked label Apr 1, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@IVEN21 IVEN21 IVEN21 approved these changes

Assignees
No one assigned
Labels
created-by: Next.js team PRs by the Next.js team. locked type: next
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug: serverActions.bodySizeLimit is ignored
4 participants
@shuding @ijjk @TryingToImprove @IVEN21