Consider Content-Length

Author: ammario

docs/guide/rule-engines/javascript.md

@@ -48,7 +48,7 @@ Your JavaScript can return:
 - **Boolean**: `true` to allow, `false` to deny
 - **Object with message**: `{allow: false, deny_message: "Custom error"}`
 - **Just a message**: `{deny_message: "Blocked"}` (implies deny)
-- **Object with byte limit**: `{allow: {max_tx_bytes: 1024}}` (allow but limit request upload to N bytes)
+- **Object with byte limit**: `{allow: {max_tx_bytes: 1024}}` (allow but limit request upload to N bytes, returns 413 if Content-Length exceeds limit)
 
 ```javascript
 // Simple boolean
@@ -147,6 +147,10 @@ uploadHosts.includes(r.host)
   : r.host.endsWith('.example.com')
 ```
 
+**Behavior:**
+- If the request includes a `Content-Length` header that exceeds the limit, the client receives a `413 Payload Too Large` error immediately without contacting the upstream server
+- If no `Content-Length` header is present (e.g., chunked encoding), the request body is truncated at the limit as it streams to the upstream server
+
 ## When to Use
 
 Best for:

docs/guide/rule-engines/line-processor.md

@@ -32,7 +32,7 @@ Your processor must respond with one line per request:
 - **Boolean strings**: `"true"` (allow) or `"false"` (deny)
 - **JSON object**: `{"allow": false, "deny_message": "Blocked by policy"}`
 - **JSON with message only**: `{"deny_message": "Blocked"}` (implies deny)
-- **JSON with byte limit**: `{"allow": {"max_tx_bytes": 1024}}` (allow but limit request upload to N bytes)
+- **JSON with byte limit**: `{"allow": {"max_tx_bytes": 1024}}` (allow but limit request upload to N bytes, returns 413 if Content-Length exceeds limit)
 - **Any other text**: Treated as deny with that text as the message (e.g., `"Access denied"` becomes a deny with message "Access denied")
 
 ## Command Line Usage
@@ -66,6 +66,8 @@ for line in sys.stdin:
             print("true")
         elif req['host'] in upload_hosts:
             # Limit upload endpoints to 1KB requests
+            # Returns 413 error if Content-Length exceeds limit
+            # Truncates body if no Content-Length header
             response = {"allow": {"max_tx_bytes": 1024}}
             print(json.dumps(response))
         else:

src/proxy.rs

@@ -58,12 +58,24 @@ pub fn create_connect_403_response_with_context(context: Option<String>) -> Vec<
 // Use the limited body module for request size limiting
 use crate::limited_body::LimitedBody;
 
+/// Result of applying byte limit check to a request
+pub enum ByteLimitResult {
+    /// Request is within limit (or no Content-Length), proceed with wrapped body
+    WithinLimit(Box<Request<BoxBody<Bytes, HyperError>>>),
+    /// Request exceeds limit based on Content-Length header
+    ExceedsLimit { content_length: u64, max_bytes: u64 },
+}
+
 /// Applies a byte limit to an outgoing request by wrapping its body.
 ///
-/// This function calculates the size of the request headers (request line + headers)
-/// and subtracts it from the total `max_bytes` limit to determine how many bytes
-/// can be used for the body. The request body is then wrapped in a `LimitedBody`
-/// that enforces this limit.
+/// This function first checks the Content-Length header as a heuristic to detect
+/// requests that would exceed the limit. If Content-Length indicates the request
+/// is oversized, it returns `ByteLimitResult::ExceedsLimit` so the caller can
+/// reject the request with a 413 error. This prevents the request from hanging
+/// and provides immediate feedback to the client.
+///
+/// If no Content-Length is present or the request is within limits, the body is
+/// wrapped in a `LimitedBody` that enforces truncation as a fallback.
 ///
 /// # Arguments
 ///
@@ -72,11 +84,11 @@ use crate::limited_body::LimitedBody;
 ///
 /// # Returns
 ///
-/// A new request with the body wrapped in a `LimitedBody` enforcing the limit.
+/// `ByteLimitResult` indicating whether to proceed or reject the request
 pub fn apply_request_byte_limit(
     req: Request<BoxBody<Bytes, HyperError>>,
     max_bytes: u64,
-) -> Request<BoxBody<Bytes, HyperError>> {
+) -> ByteLimitResult {
     let (parts, body) = req.into_parts();
 
     // Calculate request header size to subtract from max_tx_bytes
@@ -99,6 +111,30 @@ pub fn apply_request_byte_limit(
     // Final "\r\n" separator between headers and body
     let total_header_size = request_line_size + headers_size + 2;
 
+    // Check Content-Length as a heuristic to reject oversized requests early
+    // This both provides convenience (immediate error) and prevents hangs
+    if let Some(content_length) = parts
+        .headers
+        .get(hyper::header::CONTENT_LENGTH)
+        .and_then(|v| v.to_str().ok())
+        .and_then(|s| s.parse::<u64>().ok())
+    {
+        let total_size = total_header_size + content_length;
+        if total_size > max_bytes {
+            debug!(
+                content_length = content_length,
+                header_size = total_header_size,
+                total_size = total_size,
+                max_bytes = max_bytes,
+                "Request exceeds byte limit based on Content-Length"
+            );
+            return ByteLimitResult::ExceedsLimit {
+                content_length,
+                max_bytes,
+            };
+        }
+    }
+
     // Subtract header size from total limit to get body limit
     let body_limit = max_bytes.saturating_sub(total_header_size);
 
@@ -110,7 +146,10 @@ pub fn apply_request_byte_limit(
     );
 
     let limited_body = LimitedBody::new(body, body_limit);
-    Request::from_parts(parts, BodyExt::boxed(limited_body))
+    ByteLimitResult::WithinLimit(Box::new(Request::from_parts(
+        parts,
+        BodyExt::boxed(limited_body),
+    )))
 }
 
 // Shared HTTP/HTTPS client for upstream requests
@@ -547,7 +586,23 @@ async fn proxy_request(
 
     // Apply byte limit to outgoing request if specified, converting to BoxBody
     let new_req = if let Some(max_bytes) = max_tx_bytes {
-        apply_request_byte_limit(prepared_req, max_bytes)
+        match apply_request_byte_limit(prepared_req, max_bytes) {
+            ByteLimitResult::WithinLimit(req) => *req,
+            ByteLimitResult::ExceedsLimit {
+                content_length,
+                max_bytes,
+            } => {
+                // Request exceeds limit based on Content-Length - reject immediately
+                let message = format!(
+                    "Request body size ({} bytes) exceeds maximum allowed ({} bytes)",
+                    content_length, max_bytes
+                );
+                return Ok(create_error_response(
+                    StatusCode::PAYLOAD_TOO_LARGE,
+                    &message,
+                )?);
+            }
+        }
     } else {
         // Convert to BoxBody for consistent types
         let (parts, body) = prepared_req.into_parts();

src/proxy_tls.rs

@@ -530,7 +530,23 @@ async fn proxy_https_request(
 
     // Apply byte limit to outgoing request if specified, converting to BoxBody
     let new_req = if let Some(max_bytes) = max_tx_bytes {
-        apply_request_byte_limit(prepared_req, max_bytes)
+        match apply_request_byte_limit(prepared_req, max_bytes) {
+            crate::proxy::ByteLimitResult::WithinLimit(req) => *req,
+            crate::proxy::ByteLimitResult::ExceedsLimit {
+                content_length,
+                max_bytes,
+            } => {
+                // Request exceeds limit based on Content-Length - reject immediately
+                let message = format!(
+                    "Request body size ({} bytes) exceeds maximum allowed ({} bytes)",
+                    content_length, max_bytes
+                );
+                return Ok(crate::proxy::create_error_response(
+                    StatusCode::PAYLOAD_TOO_LARGE,
+                    &message,
+                )?);
+            }
+        }
     } else {
         // Convert to BoxBody for consistent types
         let (parts, body) = prepared_req.into_parts();