feat(http): add SizeLimitHandler to enforce request body size limit (#6658)

Author: bladehan1

common/src/main/java/org/tron/common/parameter/CommonParameter.java

@@ -228,11 +228,19 @@ public class CommonParameter {
   @Getter
   @Setter
   public long maxConnectionAgeInMillis;
+  // Refers to RPC (gRPC) max message size; see httpMaxMessageSize / jsonRpcMaxMessageSize
+  // below for the HTTP / JSON-RPC counterparts.
   @Getter
   @Setter
   public int maxMessageSize;
   @Getter
   @Setter
+  public long httpMaxMessageSize;
+  @Getter
+  @Setter
+  public long jsonRpcMaxMessageSize;
+  @Getter
+  @Setter
   public int maxHeaderListSize;
   @Getter
   @Setter

common/src/main/java/org/tron/core/config/args/NodeConfig.java

@@ -1,15 +1,18 @@
 package org.tron.core.config.args;
 
 import static org.tron.core.config.Parameter.ChainConstant.MAX_ACTIVE_WITNESS_NUM;
+import static org.tron.core.exception.TronError.ErrCode.PARAMETER_INIT;
 
 import com.typesafe.config.Config;
 import com.typesafe.config.ConfigBeanFactory;
 import com.typesafe.config.ConfigFactory;
+import com.typesafe.config.ConfigValueFactory;
 import java.util.ArrayList;
 import java.util.List;
 import lombok.Getter;
 import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
+import org.tron.core.exception.TronError;
 
 // Node configuration bean for the "node" section of config.conf.
 // ConfigBeanFactory auto-binds all fields including sub-beans, dot-notation keys,
@@ -198,6 +201,7 @@ public static class HttpConfig {
     private int fullNodePort = 8090;
     private boolean solidityEnable = true;
     private int solidityPort = 8091;
+    private long maxMessageSize = 4194304;
     // PBFT fields — handled manually (same naming issue as CommitteeConfig)
     // Default must match CommonParameter.pBFTHttpEnable = true
     @Getter(lombok.AccessLevel.NONE)
@@ -303,6 +307,7 @@ public void setHttpPBFTPort(int v) {
     private int maxBlockRange = 5000;
     private int maxSubTopics = 1000;
     private int maxBlockFilterNum = 50000;
+    private long maxMessageSize = 4194304;
   }
 
   @Getter
@@ -360,7 +365,11 @@ public static class DnsConfig {
    * since ConfigBeanFactory expects typed bean lists, not string lists.
    */
   public static NodeConfig fromConfig(Config config) {
-    Config section = config.getConfig("node");
+    // Normalize human-readable size values (e.g. "4m") to numeric bytes so
+    // ConfigBeanFactory's primitive int/long binding succeeds; same step
+    // enforces non-negative and <= Integer.MAX_VALUE before bean creation
+    // so failures point at the user-facing config path.
+    Config section = normalizeMaxMessageSizes(config).getConfig("node");
 
     // Auto-bind all fields and sub-beans. ConfigBeanFactory fails fast with a
     // descriptive path on any `= null` value — external configs that use the
@@ -500,4 +509,34 @@ private static String getString(Config config, String path, String defaultValue)
     return config.hasPath(path) ? config.getString(path) : defaultValue;
   }
 
+  // Pre-normalize size paths so ConfigBeanFactory's primitive int/long binding succeeds
+  // for human-readable values like "4m" / "128MB". For each maxMessageSize key, parse
+  // via getMemorySize, validate non-negative and <= Integer.MAX_VALUE, and write the
+  // numeric byte value back into the Config tree. Validation errors propagate before
+  // bean creation so the failure points at the user-facing config path.
+  private static Config normalizeMaxMessageSizes(Config config) {
+    String[] paths = {
+        "node.rpc.maxMessageSize",
+        "node.http.maxMessageSize",
+        "node.jsonrpc.maxMessageSize"
+    };
+    Config result = config;
+    for (String path : paths) {
+      if (config.hasPath(path)) {
+        long bytes = parseMaxMessageSize(config, path);
+        result = result.withValue(path, ConfigValueFactory.fromAnyRef(bytes));
+      }
+    }
+    return result;
+  }
+
+  private static long parseMaxMessageSize(Config config, String key) {
+    long value = config.getMemorySize(key).toBytes();
+    if (value < 0 || value > Integer.MAX_VALUE) {
+      throw new TronError(key + " must be non-negative and <= "
+          + Integer.MAX_VALUE + ", got: " + value, PARAMETER_INIT);
+    }
+    return value;
+  }
+
 }

common/src/main/resources/reference.conf

@@ -271,6 +271,9 @@ node {
     solidityPort = 8091
     PBFTEnable = true
     PBFTPort = 8092
+
+    # Maximum HTTP request body size, default 4MB. Independent from rpc.maxMessageSize.
+    maxMessageSize = 4M
   }
 
   rpc {
@@ -402,6 +405,9 @@ node {
 
     # Maximum number for blockFilter
     maxBlockFilterNum = 50000
+
+    # Maximum JSON-RPC request body size, default 4MB. Independent from rpc.maxMessageSize.
+    maxMessageSize = 4M
   }
 
   # Disabled API list (works for http, rpc and pbft, not jsonrpc). Case insensitive.

framework/src/main/java/org/tron/common/application/HttpService.java

@@ -15,10 +15,12 @@
 
 package org.tron.common.application;
 
+import com.google.common.annotations.VisibleForTesting;
 import java.util.concurrent.CompletableFuture;
 import lombok.extern.slf4j.Slf4j;
 import org.eclipse.jetty.server.ConnectionLimit;
 import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.handler.SizeLimitHandler;
 import org.eclipse.jetty.servlet.ServletContextHandler;
 import org.tron.core.config.args.Args;
 
@@ -29,6 +31,18 @@ public abstract class HttpService extends AbstractService {
 
   protected String contextPath;
 
+  protected long maxRequestSize = 4 * 1024 * 1024; // 4MB
+
+  @VisibleForTesting
+  public long getMaxRequestSize() {
+    return this.maxRequestSize;
+  }
+
+  @VisibleForTesting
+  public void setMaxRequestSize(long maxRequestSize) {
+    this.maxRequestSize = maxRequestSize;
+  }
+
   @Override
   public void innerStart() throws Exception {
     if (this.apiServer != null) {
@@ -63,7 +77,9 @@ protected void initServer() {
   protected ServletContextHandler initContextHandler() {
     ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS);
     context.setContextPath(this.contextPath);
-    this.apiServer.setHandler(context);
+    SizeLimitHandler sizeLimitHandler = new SizeLimitHandler(this.maxRequestSize, -1);
+    sizeLimitHandler.setHandler(context);
+    this.apiServer.setHandler(sizeLimitHandler);
     return context;
   }
 

framework/src/main/java/org/tron/core/config/args/Args.java

@@ -573,6 +573,7 @@ private static void applyNodeConfig(NodeConfig nc) {
     PARAMETER.fullNodeHttpPort = http.getFullNodePort();
     PARAMETER.solidityHttpPort = http.getSolidityPort();
     PARAMETER.pBFTHttpPort = http.getPBFTPort();
+    PARAMETER.httpMaxMessageSize = http.getMaxMessageSize();
 
     // ---- JSON-RPC sub-bean ----
     NodeConfig.JsonRpcConfig jsonrpc = nc.getJsonrpc();
@@ -585,6 +586,7 @@ private static void applyNodeConfig(NodeConfig nc) {
     PARAMETER.jsonRpcMaxBlockRange = jsonrpc.getMaxBlockRange();
     PARAMETER.jsonRpcMaxSubTopics = jsonrpc.getMaxSubTopics();
     PARAMETER.jsonRpcMaxBlockFilterNum = jsonrpc.getMaxBlockFilterNum();
+    PARAMETER.jsonRpcMaxMessageSize = jsonrpc.getMaxMessageSize();
 
     // ---- P2P sub-bean ----
     PARAMETER.nodeP2pVersion = nc.getP2p().getVersion();

framework/src/main/java/org/tron/core/services/http/FullNodeHttpApiService.java

@@ -297,6 +297,7 @@ public FullNodeHttpApiService() {
     port = Args.getInstance().getFullNodeHttpPort();
     enable = isFullNode() && Args.getInstance().isFullNodeHttpEnable();
     contextPath = "/";
+    maxRequestSize = Args.getInstance().getHttpMaxMessageSize();
   }
 
   @Override

framework/src/main/java/org/tron/core/services/http/Util.java

@@ -356,10 +356,12 @@ public static Transaction packTransaction(String strTransaction, boolean selfTyp
     }
   }
 
+  @Deprecated
   public static void checkBodySize(String body) throws Exception {
     CommonParameter parameter = Args.getInstance();
-    if (body.getBytes().length > parameter.getMaxMessageSize()) {
-      throw new Exception("body size is too big, the limit is " + parameter.getMaxMessageSize());
+    if (body.getBytes().length > parameter.getHttpMaxMessageSize()) {
+      throw new Exception("body size is too big, the limit is "
+          + parameter.getHttpMaxMessageSize());
     }
   }
 

framework/src/main/java/org/tron/core/services/http/solidity/SolidityNodeHttpApiService.java

@@ -170,6 +170,7 @@ public SolidityNodeHttpApiService() {
     port = Args.getInstance().getSolidityHttpPort();
     enable = !isFullNode() && Args.getInstance().isSolidityNodeHttpEnable();
     contextPath = "/";
+    maxRequestSize = Args.getInstance().getHttpMaxMessageSize();
   }
 
   @Override

framework/src/main/java/org/tron/core/services/interfaceJsonRpcOnPBFT/JsonRpcServiceOnPBFT.java

@@ -19,6 +19,7 @@ public JsonRpcServiceOnPBFT() {
     port = Args.getInstance().getJsonRpcHttpPBFTPort();
     enable = isFullNode() && Args.getInstance().isJsonRpcHttpPBFTNodeEnable();
     contextPath = "/";
+    maxRequestSize = Args.getInstance().getJsonRpcMaxMessageSize();
   }
 
   @Override

framework/src/main/java/org/tron/core/services/interfaceJsonRpcOnSolidity/JsonRpcServiceOnSolidity.java

@@ -19,6 +19,7 @@ public JsonRpcServiceOnSolidity() {
     port = Args.getInstance().getJsonRpcHttpSolidityPort();
     enable = isFullNode() && Args.getInstance().isJsonRpcHttpSolidityNodeEnable();
     contextPath = "/";
+    maxRequestSize = Args.getInstance().getJsonRpcMaxMessageSize();
   }
 
   @Override