|
| 1 | +# Copyright 2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved. |
| 2 | +# |
| 3 | +# Redistribution and use in source and binary forms, with or without |
| 4 | +# modification, are permitted provided that the following conditions |
| 5 | +# are met: |
| 6 | +# * Redistributions of source code must retain the above copyright |
| 7 | +# notice, this list of conditions and the following disclaimer. |
| 8 | +# * Redistributions in binary form must reproduce the above copyright |
| 9 | +# notice, this list of conditions and the following disclaimer in the |
| 10 | +# documentation and/or other materials provided with the distribution. |
| 11 | +# * Neither the name of NVIDIA CORPORATION nor the names of its |
| 12 | +# contributors may be used to endorse or promote products derived |
| 13 | +# from this software without specific prior written permission. |
| 14 | +# |
| 15 | +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ``AS IS'' AND ANY |
| 16 | +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 17 | +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 18 | +# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR |
| 19 | +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, |
| 20 | +# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, |
| 21 | +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR |
| 22 | +# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY |
| 23 | +# OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 24 | +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 25 | +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 26 | + |
| 27 | +from fastapi.responses import JSONResponse |
| 28 | +from starlette.types import ASGIApp, Message, Receive, Scope, Send |
| 29 | +from utils.utils import StatusCode, validate_positive_int |
| 30 | + |
| 31 | + |
| 32 | +async def _disconnect_receive() -> Message: |
| 33 | + return {"type": "http.disconnect"} |
| 34 | + |
| 35 | + |
| 36 | +class RequestSizeLimitMiddleware: |
| 37 | + """ |
| 38 | + Reject HTTP requests whose body exceeds ``http_max_input_size`` bytes. |
| 39 | + First validation rejects on the Content-Length header before any body bytes are |
| 40 | + read. Second validation streams the body chunks, counting bytes as they arrive, |
| 41 | + and rejects as soon as the running total crosses the limit. Driving |
| 42 | + receive() from the middleware protects every endpoint, including |
| 43 | + handlers that never read the body. The buffered body is released the |
| 44 | + moment the application consumes it, so the middleware contributes no |
| 45 | + sustained memory overhead. |
| 46 | + """ |
| 47 | + |
| 48 | + def __init__(self, app: ASGIApp, http_max_input_size: int) -> None: |
| 49 | + self.app = app |
| 50 | + self.http_max_input_size = validate_positive_int(http_max_input_size) |
| 51 | + |
| 52 | + async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None: |
| 53 | + if scope["type"] != "http": |
| 54 | + await self.app(scope, receive, send) |
| 55 | + return |
| 56 | + |
| 57 | + # Stage 1: reject on Content-Length before reading any body bytes. |
| 58 | + for name, value in scope["headers"]: |
| 59 | + if name != b"content-length": |
| 60 | + continue |
| 61 | + try: |
| 62 | + content_length = int(value) |
| 63 | + except ValueError: |
| 64 | + await self._send_error( |
| 65 | + scope, |
| 66 | + send, |
| 67 | + StatusCode.CLIENT_ERROR, |
| 68 | + "invalid_content_length", |
| 69 | + "Invalid Content-Length header: not an integer.", |
| 70 | + ) |
| 71 | + return |
| 72 | + if content_length < 0: |
| 73 | + await self._send_error( |
| 74 | + scope, |
| 75 | + send, |
| 76 | + StatusCode.CLIENT_ERROR, |
| 77 | + "invalid_content_length", |
| 78 | + "Invalid Content-Length header: must be non-negative.", |
| 79 | + ) |
| 80 | + return |
| 81 | + if content_length > self.http_max_input_size: |
| 82 | + await self._send_error( |
| 83 | + scope, |
| 84 | + send, |
| 85 | + StatusCode.CONTENT_TOO_LARGE, |
| 86 | + "content_too_large", |
| 87 | + self._oversized_request_message( |
| 88 | + content_length, self.http_max_input_size |
| 89 | + ), |
| 90 | + ) |
| 91 | + return |
| 92 | + break |
| 93 | + |
| 94 | + # Stage 2: count chunks as they arrive, reject if total exceeds limit. |
| 95 | + body_chunks: list[bytes] = [] |
| 96 | + total = 0 |
| 97 | + while True: |
| 98 | + message = await receive() |
| 99 | + if message["type"] != "http.request": |
| 100 | + return |
| 101 | + chunk = message.get("body", b"") |
| 102 | + total += len(chunk) |
| 103 | + if total > self.http_max_input_size: |
| 104 | + await self._send_error( |
| 105 | + scope, |
| 106 | + send, |
| 107 | + StatusCode.CONTENT_TOO_LARGE, |
| 108 | + "content_too_large", |
| 109 | + self._oversized_request_message(total, self.http_max_input_size), |
| 110 | + ) |
| 111 | + return |
| 112 | + body_chunks.append(chunk) |
| 113 | + if not message.get("more_body", False): |
| 114 | + break |
| 115 | + |
| 116 | + # Assemble the buffered body and replay it to the app. |
| 117 | + body_message: Message = { |
| 118 | + "type": "http.request", |
| 119 | + "body": b"".join(body_chunks), |
| 120 | + "more_body": False, |
| 121 | + } |
| 122 | + del body_chunks |
| 123 | + |
| 124 | + async def replay_receive() -> Message: |
| 125 | + nonlocal body_message |
| 126 | + if body_message is not None: |
| 127 | + # Drop the reference on hand-off so the body is freed while |
| 128 | + # the app processes it, instead of being held by this closure. |
| 129 | + message, body_message = body_message, None |
| 130 | + return message |
| 131 | + # Body already delivered — delegate to the original receive() so |
| 132 | + # streaming responses can wait for the real client disconnect. |
| 133 | + return await receive() |
| 134 | + |
| 135 | + await self.app(scope, replay_receive, send) |
| 136 | + |
| 137 | + @staticmethod |
| 138 | + def _oversized_request_message(actual_bytes: int, max_bytes: int) -> str: |
| 139 | + return ( |
| 140 | + f"Request size of {actual_bytes} bytes exceeds the maximum allowed " |
| 141 | + f"input size of {max_bytes} bytes. " |
| 142 | + f"Use --http-max-input-size to increase the limit." |
| 143 | + ) |
| 144 | + |
| 145 | + async def _send_error( |
| 146 | + self, |
| 147 | + scope: Scope, |
| 148 | + send: Send, |
| 149 | + status_code: int, |
| 150 | + code: str, |
| 151 | + message: str, |
| 152 | + ) -> None: |
| 153 | + response = JSONResponse( |
| 154 | + status_code=status_code, |
| 155 | + content={ |
| 156 | + "error": { |
| 157 | + "message": message, |
| 158 | + "type": "invalid_request_error", |
| 159 | + "code": code, |
| 160 | + } |
| 161 | + }, |
| 162 | + ) |
| 163 | + await response(scope, _disconnect_receive, send) |
0 commit comments