fix(dashboard): enforce POST body size limits#2029
Conversation
fallintoplace
commented
Jul 5, 2026
- Add request body size limits to all dashboard POST endpoints.
- Reject payloads over 64 KiB for action endpoints and 1 MiB for /refine-comment with HTTP 413.
- Close readBody event streams safely with data length checks and error handling.
- Add regression tests for default limit and refine-comment limit.
There was a problem hiding this comment.
Pull request overview
This PR adds server-side request body size enforcement for dashboard POST endpoints, returning HTTP 413 with a JSON error payload when limits are exceeded. It also adds regression tests to ensure oversized requests are rejected for both the default POST limit and the larger /refine-comment limit.
Changes:
- Add per-endpoint POST body byte limits (64 KiB default; 1 MiB for
/refine-comment) and a standardized 413 JSON response. - Update POST handlers to use the new bounded body reader and short-circuit on oversized payloads.
- Add tests covering 413 responses for oversized payloads on default endpoints and
/refine-comment.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| packages/apm-contributor-dashboard/.apm/extensions/issue-monitor/server-handler.mjs | Implements byte-limited request body reading and wires 413 handling into POST endpoints. |
| packages/apm-contributor-dashboard/tests/server.test.mjs | Adds regression tests asserting 413 behavior for oversized POST request bodies. |
| } catch (error) { | ||
| if (isPayloadTooLargeError(error)) { | ||
| return { isPayloadTooLarge: true }; | ||
| } | ||
| throw error; | ||
| } |
|
apm-review-panel synthesis for PR #2029 -- fix(dashboard): enforce POST body size limits TL;DR: Well-scoped security fix that covers all 10 POST endpoints with correct HTTP 413 enforcement. One blocking stream-safety bug ( Architecture lens The implementation is pure Node.js Security / Supply-chain lens The fix closes a denial-of-service surface: the old Blocking concern: Fix suggestion: cleanup();
req.once("error", () => {}); // swallow destroy-induced socket error
req.destroy();
reject(createPayloadTooLargeError());Alternatively, prefer Test coverage lens New tests: 2 cases (oversized default, oversized refine-comment). Coverage gaps:
Code quality lens Warning (DRY): The same 7-line sentinel guard block is copy-pasted 9 times. A small helper reduces maintenance surface: function handleBodyError(raw, res) {
if (raw?.isPayloadTooLarge) { sendPayloadTooLarge(res); return true; }
if (raw?.isBodyReadError) { sendBodyReadError(res, raw.error); return true; }
return false;
}
// In each handler:
if (handleBodyError(raw, res)) return;Warning (sentinel pattern): Info: Panel recommendation: REQUEST CHANGES Block on the |
sergio-sisternes-epam
left a comment
There was a problem hiding this comment.
The panel identified one blocking issue before this can merge: the req.destroy() call after cleanup() removes the error listener is a real crash vector in Node.js (unhandled error event terminates the process). Fix: add req.once('error', () => {}) before req.destroy(), or switch to req.resume() to drain gracefully. All other findings are advisory. Happy to re-review once this is addressed.
|
Let me have a look and push the commit. |
@fallintoplace rebase also from main, as the PR is now out-of-date |
Head branch was pushed to by a user without write access
aa757c3 to
45e49fa
Compare