| 123456789101112131415161718192021222324252627282930313233343536373839404142 |
- package middleware
- import (
- "net/http"
- "strings"
- "github.com/gin-gonic/gin"
- )
- // MaxBodyBytes caps the request body size for state-changing requests. It wraps
- // the body in an http.MaxBytesReader so that any handler reading it (gin's
- // ShouldBind, manual io.ReadAll, etc.) receives an error once the limit is
- // exceeded, which the existing bind-failure path reports as a 400 rather than
- // allocating an unbounded buffer or starting a long DB transaction.
- //
- // Methods without a body (GET/HEAD/OPTIONS/TRACE) and a non-positive limit are
- // passed through untouched. Paths ending in one of skipSuffixes are also passed
- // through uncapped — these are routes that legitimately accept a large upload
- // (e.g. database restore, which streams a multi-MiB SQLite file).
- func MaxBodyBytes(limit int64, skipSuffixes ...string) gin.HandlerFunc {
- return func(c *gin.Context) {
- if limit > 0 {
- switch c.Request.Method {
- case http.MethodGet, http.MethodHead, http.MethodOptions, http.MethodTrace:
- default:
- if c.Request.Body != nil && !hasAnySuffix(c.Request.URL.Path, skipSuffixes) {
- c.Request.Body = http.MaxBytesReader(c.Writer, c.Request.Body, limit)
- }
- }
- }
- c.Next()
- }
- }
- func hasAnySuffix(path string, suffixes []string) bool {
- for _, suffix := range suffixes {
- if suffix != "" && strings.HasSuffix(path, suffix) {
- return true
- }
- }
- return false
- }
|
