From 0fa7d12dbfb7ae016657dd91034b4c0781ea43de Mon Sep 17 00:00:00 2001 From: Dan Prince Date: Fri, 23 Mar 2012 15:40:57 -0400 Subject: Adds middleware to limit request body sizes. Fixes LP Bug #962515. Change-Id: Ic1be1459515654d45febd89da58b19e0840aaf9d --- nova/api/sizelimit.py | 54 ++++++++++++++++++++++++++++++++++++++++ nova/tests/api/test_sizelimit.py | 51 +++++++++++++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 nova/api/sizelimit.py create mode 100644 nova/tests/api/test_sizelimit.py (limited to 'nova') diff --git a/nova/api/sizelimit.py b/nova/api/sizelimit.py new file mode 100644 index 000000000..69eee19bb --- /dev/null +++ b/nova/api/sizelimit.py @@ -0,0 +1,54 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright (c) 2012 OpenStack, LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +""" +Request Body limiting middleware. + +""" + +import webob.dec +import webob.exc + +from nova import context +from nova import flags +from nova import log as logging +from nova.openstack.common import cfg +from nova import wsgi + + +#default request size is 112k +max_request_body_size_opt = cfg.BoolOpt('osapi_max_request_body_size', + default=114688, + help='') + +FLAGS = flags.FLAGS +FLAGS.register_opt(max_request_body_size_opt) +LOG = logging.getLogger(__name__) + + +class RequestBodySizeLimiter(wsgi.Middleware): + """Add a 'nova.context' to WSGI environ.""" + + def __init__(self, *args, **kwargs): + super(RequestBodySizeLimiter, self).__init__(*args, **kwargs) + + @webob.dec.wsgify(RequestClass=wsgi.Request) + def __call__(self, req): + if (req.content_length > FLAGS.osapi_max_request_body_size + or len(req.body) > FLAGS.osapi_max_request_body_size): + msg = _("Request is too large.") + raise webob.exc.HTTPBadRequest(explanation=msg) + else: + return self.application diff --git a/nova/tests/api/test_sizelimit.py b/nova/tests/api/test_sizelimit.py new file mode 100644 index 000000000..170198b6b --- /dev/null +++ b/nova/tests/api/test_sizelimit.py @@ -0,0 +1,51 @@ +# Copyright (c) 2012 OpenStack, LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import webob + +import nova.api.sizelimit +from nova import flags +from nova import test + +FLAGS = flags.FLAGS +MAX_REQUEST_BODY_SIZE = FLAGS.osapi_max_request_body_size + + +class TestRequestBodySizeLimiter(test.TestCase): + + def setUp(self): + super(TestRequestBodySizeLimiter, self).setUp() + + @webob.dec.wsgify() + def fake_app(req): + return webob.Response() + + self.middleware = nova.api.sizelimit.RequestBodySizeLimiter(fake_app) + self.request = webob.Request.blank('/', method='POST') + + def test_content_length_acceptable(self): + self.request.headers['Content-Length'] = MAX_REQUEST_BODY_SIZE + self.request.body = "0" * MAX_REQUEST_BODY_SIZE + response = self.request.get_response(self.middleware) + self.assertEqual(response.status_int, 200) + + def test_content_length_to_large(self): + self.request.headers['Content-Length'] = MAX_REQUEST_BODY_SIZE + 1 + response = self.request.get_response(self.middleware) + self.assertEqual(response.status_int, 400) + + def test_request_to_large(self): + self.request.body = "0" * (MAX_REQUEST_BODY_SIZE + 1) + response = self.request.get_response(self.middleware) + self.assertEqual(response.status_int, 400) -- cgit