PLU-556: GZip compression bombs (#1198)

## Addresses VAPT issue
* Streams the http response and throws an error if it exceeds the max
content length or max compression ratio
* Set timeout to prevent hanging requests

Author: kevinkim-ogp

packages/backend/src/apps/custom-api/__tests__/actions/http-request.test.ts

@@ -20,6 +20,7 @@ const mocks = vi.hoisted(() => ({
   stepQueryResult: vi.fn(() => ({
     config: {},
   })),
+  addInterceptors: vi.fn(),
 }))
 
 vi.mock('../../common/ip-resolver', () => {
@@ -30,6 +31,10 @@ vi.mock('../../common/ip-resolver', () => {
   }
 })
 
+vi.mock('../../common/add-interceptors', () => ({
+  default: mocks.addInterceptors,
+}))
+
 vi.mock('@/models/step', () => ({
   default: {
     query: () => ({
@@ -78,6 +83,7 @@ describe('make http request', () => {
         url: $.step.parameters.url,
         method: $.step.parameters.method,
         data: $.step.parameters.data,
+        responseType: 'stream',
       }),
     )
   })
@@ -98,6 +104,7 @@ describe('make http request', () => {
         url: $.step.parameters.url,
         method: $.step.parameters.method,
         data: $.step.parameters.data,
+        responseType: 'stream',
         headers: {
           Key1: 'Value1',
           Key2: 'Value2',
@@ -174,13 +181,15 @@ describe('make http request', () => {
         url: 'http://test.local/endpoint?1234',
         method: 'POST',
         data: 'meep meep',
+        responseType: 'stream',
       }),
     )
     expect(mocks.httpRequest).toHaveBeenCalledWith(
       expect.objectContaining({
         url: 'https://redirect.com',
         method: 'GET',
         data: 'meep meep',
+        responseType: 'stream',
       }),
     )
   })
@@ -203,13 +212,15 @@ describe('make http request', () => {
         url: 'http://test.local/endpoint?1234',
         method: 'POST',
         data: 'meep meep',
+        responseType: 'stream',
       }),
     )
     expect(mocks.httpRequest).toHaveBeenCalledWith(
       expect.objectContaining({
         url: 'https://redirect.com',
         method: 'POST',
         data: 'meep meep',
+        responseType: 'stream',
       }),
     )
   })
@@ -254,6 +265,7 @@ describe('make http request', () => {
     expect(mocks.httpRequest).toHaveBeenCalledWith(
       expect.objectContaining({
         timeout: CUSTOM_API_TIMEOUT,
+        responseType: 'stream',
       }),
     )
   })
@@ -277,6 +289,7 @@ describe('make http request', () => {
     expect(mocks.httpRequest).toHaveBeenCalledWith(
       expect.objectContaining({
         timeout: 360000,
+        responseType: 'stream',
       }),
     )
   })
@@ -301,6 +314,7 @@ describe('make http request', () => {
       expect(mocks.httpRequest).toHaveBeenCalledWith(
         expect.objectContaining({
           timeout: CUSTOM_API_TIMEOUT,
+          responseType: 'stream',
         }),
       )
     },
@@ -353,6 +367,7 @@ describe('make http request', () => {
             url: $.step.parameters.url,
             method: $.step.parameters.method,
             data: $.step.parameters.data as any,
+            responseType: 'stream',
           }),
         )
       },
@@ -381,6 +396,7 @@ describe('make http request', () => {
             url: $.step.parameters.url,
             method: $.step.parameters.method,
             data: $.step.parameters.data as any,
+            responseType: 'stream',
           }),
         )
       },

packages/backend/src/apps/custom-api/__tests__/common/size-monitor.test.ts

@@ -0,0 +1,78 @@
+import { Readable, Transform, Writable } from 'stream'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+
+import { createSizeMonitor } from '@/apps/custom-api/common/size-monitor'
+
+const mocks = vi.hoisted(() => ({
+  warn: vi.fn(),
+}))
+
+vi.mock('@/helpers/logger', () => ({
+  default: {
+    warn: mocks.warn,
+  },
+}))
+
+// Helper to stream buffers through a Transform and collect output
+const writeBuffers = (monitor: Transform, buffers: Buffer[]) =>
+  new Promise<Buffer>((resolve, reject) => {
+    const chunks: Buffer[] = []
+
+    const source = Readable.from(buffers)
+    const sink = new Writable({
+      write(chunk, _enc, cb) {
+        chunks.push(Buffer.from(chunk))
+        cb()
+      },
+    })
+
+    source.on('error', reject)
+    monitor.on('error', reject)
+    sink.on('error', reject)
+    sink.on('finish', () => resolve(Buffer.concat(chunks)))
+
+    source.pipe(monitor).pipe(sink)
+  })
+
+describe('createSizeMonitor', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+  afterEach(() => {
+    vi.restoreAllMocks()
+  })
+
+  it('passes through data under the maximum size', async () => {
+    const monitor = createSizeMonitor()
+    const input = [Buffer.alloc(1024), Buffer.from('hello')]
+    const output = await writeBuffers(monitor, input)
+    expect(output.length).toBe(input[0].length + input[1].length)
+    expect(mocks.warn).not.toHaveBeenCalled()
+  })
+
+  it('errors when total size exceeds 20MB', async () => {
+    const monitor = createSizeMonitor()
+    const overLimit = Buffer.alloc(20 * 1024 * 1024 + 1)
+    await expect(writeBuffers(monitor, [overLimit])).rejects.toMatchObject({
+      name: 'AxiosError',
+      isAxiosError: true,
+      response: {
+        status: 413,
+        statusText: 'Payload Too Large',
+        data: { error: 'Response body too large' },
+      },
+    })
+  })
+
+  it('errors when compression ratio exceeds the limit and warns', async () => {
+    const monitor = createSizeMonitor(1) // compressed size 1 byte
+    await expect(
+      writeBuffers(monitor, [Buffer.alloc(200)]),
+    ).rejects.toMatchObject({
+      name: 'AxiosError',
+      isAxiosError: true,
+      response: expect.objectContaining({ status: 413 }),
+    })
+    expect(mocks.warn).toHaveBeenCalled()
+  })
+})