| 12345678910111213141516171819202122232425262728293031323334353637383940414243 |
- package middleware
- import (
- "net/http"
- "strings"
- "github.com/gin-gonic/gin"
- )
- // MaxBodyBytes caps the request body size for state-changing requests. It wraps
- // the body in an http.MaxBytesReader so that any handler reading it (gin's
- // ShouldBind, manual io.ReadAll, etc.) receives an error once the limit is
- // exceeded, which the existing bind-failure path reports as a 400 rather than
- // allocating an unbounded buffer or starting a long DB transaction.
- //
- // Methods without a body (GET/HEAD/OPTIONS/TRACE) and a non-positive limit are
- // passed through untouched. Paths ending in one of skipSuffixes are also passed
- // through uncapped — these are routes that legitimately accept a large upload
- // (e.g. database restore, which streams a multi-MiB SQLite file).
- func MaxBodyBytes(limit int64, skipSuffixes ...string) gin.HandlerFunc {
- return func(c *gin.Context) {
- if limit > 0 {
- switch c.Request.Method {
- case http.MethodGet, http.MethodHead, http.MethodOptions, http.MethodTrace:
- default:
- if c.Request.Body != nil && !hasSuffix(c.Request.URL.Path, skipSuffixes) {
- c.Request.Body = http.MaxBytesReader(c.Writer, c.Request.Body, limit)
- }
- }
- }
- c.Next()
- }
- }
- // hasSuffix reports whether path ends in any of the given suffixes.
- func hasSuffix(path string, suffixes []string) bool {
- for _, s := range suffixes {
- if strings.HasSuffix(path, s) {
- return true
- }
- }
- return false
- }
|
