feat: add configuration for limiting external resource body limits

Author: panva

docs/README.md

@@ -503,6 +503,7 @@ location / {
 - [extraParams](#extraparams) - Additional Authorization Request Parameters
 - [extraTokenClaims](#extratokenclaims) - Additional Access Token Claims
 - [fetch](#fetch) - Fetching External Resources
+- [fetchResponseBodyLimits](#fetchresponsebodylimits) - Fetch Response Body Size Limits
 - [issueRefreshToken](#issuerefreshtoken) - Refresh Token Issuance Policy
 - [loadExistingGrant](#loadexistinggrant) - Loading Existing Grants
 - [pairwiseIdentifier](#pairwiseidentifier) - Pairwise Subject Identifier Generation
@@ -3628,6 +3629,23 @@ _**default value**_:
 
 ---
 
+### fetchResponseBodyLimits
+
+Fetch Response Body Size Limits  
+
+Specifies per-purpose maximum response body size limits (in bytes) for external HTTPS resource fetches. When a limit is defined for a given purpose, the authorization server will bail out early on `Content-Length` header values exceeding the limit and will also abort reading the response body when the accumulated size exceeds the limit. Purposes with a limit of `Infinity` will not enforce any size restriction.  
+
+
+_**default value**_:
+```js
+{
+  jwks_uri: Infinity,
+  sector_identifier_uri: Infinity
+}
+```
+
+---
+
 ### formats.bitsOfOpaqueRandomness
 
 Specifies the entropy configuration for opaque token generation. The value shall be an integer (or a function returning an integer) that determines the cryptographic strength of generated opaque tokens. The resulting opaque token length shall be calculated as `Math.ceil(i / Math.log2(n))` where `i` is the specified bit count and `n` is the number of symbols in the encoding alphabet (64 characters in the base64url character set used by this implementation). 

lib/helpers/configuration.js

@@ -73,6 +73,7 @@ class Configuration {
     this.checkCibaDeliveryModes();
     this.checkRichAuthorizationRequests();
     this.checkPostMethods();
+    this.checkFetchResponseBodyLimits();
 
     delete this.cookies.long.maxAge;
     delete this.cookies.long.expires;
@@ -463,6 +464,18 @@ class Configuration {
     }
   }
 
+  checkFetchResponseBodyLimits() {
+    const { fetchResponseBodyLimits } = this;
+    if (!isPlainObject(fetchResponseBodyLimits)) {
+      throw new TypeError('fetchResponseBodyLimits must be a plain object');
+    }
+    for (const [key, value] of Object.entries(fetchResponseBodyLimits)) {
+      if (typeof value !== 'number' || (!Number.isSafeInteger(value) && value !== Infinity) || value < 0) {
+        throw new TypeError(`fetchResponseBodyLimits.${JSON.stringify(key)} must be a non-negative safe integer or Infinity`);
+      }
+    }
+  }
+
   checkDeviceFlow() {
     if (this.features.deviceFlow.enabled) {
       if (this.features.deviceFlow.charset !== undefined) {

lib/helpers/defaults.js

@@ -3417,6 +3417,25 @@ function makeDefaults() {
      */
     fetch: (url, options) => globalThis.fetch(url, options),
 
+    /*
+     * fetchResponseBodyLimits
+     *
+     * title: Fetch Response Body Size Limits
+     *
+     * description: Specifies per-purpose maximum response body size limits (in bytes) for
+     *   external HTTPS resource fetches. When a limit is defined for a given purpose, the
+     *   authorization server will bail out early on `Content-Length` header values exceeding
+     *   the limit and will also abort reading the response body when the accumulated size
+     *   exceeds the limit. Purposes with a limit of `Infinity` will not enforce
+     *   any size restriction.
+     */
+    fetchResponseBodyLimits: {
+      // TODO: introduce default limits in v10.x
+      jwks_uri: Infinity,
+      // TODO: introduce default limits in v10.x
+      sector_identifier_uri: Infinity,
+    },
+
     /*
      * enableHttpPostMethods
      *

lib/helpers/fetch_body_check.js

@@ -0,0 +1,25 @@
+import instance from './weak_cache.js';
+
+export default async function fetchBodyCheck(provider, purpose, response) {
+  const limit = instance(provider).configuration.fetchResponseBodyLimits[purpose];
+
+  if (Number.isFinite(limit)) {
+    const contentLength = response.headers.get('content-length');
+    if (contentLength && parseInt(contentLength, 10) > limit) {
+      await response.body?.cancel();
+      throw new Error('response too large');
+    }
+  }
+
+  const chunks = [];
+  let received = 0;
+  for await (const chunk of response.body) {
+    received += chunk.length;
+    if (Number.isFinite(limit) && received > limit) {
+      await response.body?.cancel();
+      throw new Error('response too large');
+    }
+    chunks.push(chunk);
+  }
+  return Buffer.concat(chunks);
+}

lib/helpers/sector_validate.js

@@ -3,6 +3,7 @@ import { STATUS_CODES } from 'node:http';
 import instance from './weak_cache.js';
 import { InvalidClientMetadata } from './errors.js';
 import fetchRequest from './fetch_request.js';
+import fetchBodyCheck from './fetch_body_check.js';
 
 export default async function sectorValidate(provider, client) {
   if (!instance(provider).configuration.sectorIdentifierUriValidate(client)) {
@@ -24,7 +25,13 @@ export default async function sectorValidate(provider, client) {
 
   let body;
   try {
-    body = await response.json();
+    body = (await fetchBodyCheck(provider, 'sector_identifier_uri', response)).toString();
+  } catch (err) {
+    throw new InvalidClientMetadata('could not load sector_identifier_uri response', err.message);
+  }
+
+  try {
+    body = JSON.parse(body);
   } catch (err) {
     throw new InvalidClientMetadata('failed to parse sector_identifier_uri JSON response', err.message);
   }

lib/models/client.js

@@ -21,6 +21,7 @@ import sectorValidate from '../helpers/sector_validate.js';
 import addClient from '../helpers/add_client.js';
 import getSchema from '../helpers/client_schema.js';
 import fetchRequest from '../helpers/fetch_request.js';
+import fetchBodyCheck from '../helpers/fetch_body_check.js';
 
 // intentionally ignore x5t#S256 so that they are left to be calculated by the library
 const EC_CURVES = new Set(['P-256', 'P-384', 'P-521']);
@@ -175,7 +176,8 @@ export default function getClient(provider) {
             },
           });
 
-          const body = await response.json();
+          const buf = await fetchBodyCheck(provider, 'jwks_uri', response);
+          const body = JSON.parse(buf.toString());
           const { headers, status } = response;
 
           // min refetch in 60 seconds unless cache headers say a longer response ttl

test/configuration/configuration.test.js

@@ -86,4 +86,75 @@ describe('Provider configuration', () => {
       });
     }).to.throw('HTTP POST Method support requires that cookies.long.sameSite is set to none');
   });
+
+  describe('fetchResponseBodyLimits', () => {
+    it('accepts valid finite limits', () => {
+      const conf = new Configuration({
+        fetchResponseBodyLimits: {
+          jwks_uri: 10240,
+          sector_identifier_uri: 2048,
+        },
+      });
+      expect(conf.fetchResponseBodyLimits.jwks_uri).to.equal(10240);
+    });
+
+    it('accepts Infinity (no limit)', () => {
+      const conf = new Configuration({
+        fetchResponseBodyLimits: {
+          jwks_uri: Infinity,
+        },
+      });
+      expect(conf.fetchResponseBodyLimits.jwks_uri).to.equal(Infinity);
+    });
+
+    it('rejects negative values', () => {
+      expect(() => {
+        new Configuration({ // eslint-disable-line no-new
+          fetchResponseBodyLimits: {
+            jwks_uri: -1,
+          },
+        });
+      }).to.throw('fetchResponseBodyLimits."jwks_uri" must be a non-negative safe integer or Infinity');
+    });
+
+    it('rejects non-number values', () => {
+      expect(() => {
+        new Configuration({ // eslint-disable-line no-new
+          fetchResponseBodyLimits: {
+            jwks_uri: '1024',
+          },
+        });
+      }).to.throw('fetchResponseBodyLimits."jwks_uri" must be a non-negative safe integer or Infinity');
+    });
+
+    it('rejects null values', () => {
+      expect(() => {
+        new Configuration({ // eslint-disable-line no-new
+          fetchResponseBodyLimits: {
+            jwks_uri: null,
+          },
+        });
+      }).to.throw('fetchResponseBodyLimits."jwks_uri" must be a non-negative safe integer or Infinity');
+    });
+
+    it('rejects NaN', () => {
+      expect(() => {
+        new Configuration({ // eslint-disable-line no-new
+          fetchResponseBodyLimits: {
+            jwks_uri: NaN,
+          },
+        });
+      }).to.throw('fetchResponseBodyLimits."jwks_uri" must be a non-negative safe integer or Infinity');
+    });
+
+    it('rejects floats', () => {
+      expect(() => {
+        new Configuration({ // eslint-disable-line no-new
+          fetchResponseBodyLimits: {
+            jwks_uri: 10.5,
+          },
+        });
+      }).to.throw('fetchResponseBodyLimits."jwks_uri" must be a non-negative safe integer or Infinity');
+    });
+  });
 });