Re: [whatwg/fetch] Add size limiter to `Body#formData` method (Issue #1592) from wattroll on 2023-11-24 (public-webapps-github@w3.org from November 2023)

From: wattroll <notifications@github.com>
Date: Fri, 24 Nov 2023 12:40:44 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1592/1826071318@github.com>

> Right now there is no way to call Body#formData on arbitrary user input without potentially causing an OOM


How about sinking a `clone()` of the request prior to calling `formData()`? 

```typescript
Deno.serve(async function(request) {
  try {
    const sink = new WritableStream(LimitedUnderlyingSink(10_000_000));
    await request.clone().body?.pipeTo(sink, { preventCancel: true });
    const _form = await request.formData(); 
    return new Response("OK\n");
  } catch (error) {
    return new Response(String(error) + '\n');
  }
});

function LimitedUnderlyingSink(maxByteLength: number): UnderlyingSink<ArrayBufferLike> {
  return {
    write(chunk) {
      maxByteLength -= chunk.byteLength;
      if (maxByteLength < 0) {
        throw new DOMException('Size limit exceeded', 'QuotaExceededError');
      }
    }
  }
}
```

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1592#issuecomment-1826071318
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1592/1826071318@github.com>

Received on Friday, 24 November 2023 20:40:50 UTC