feat: (PRO-412) Cap max body size per request to prevent potential ov…#230
Merged
dev-jodee merged 1 commit intorelease/feature-freeze-for-auditfrom Oct 9, 2025
Conversation
…erloading of the server
![ellipsis-dev[bot]](https://avatars.githubusercontent.com/in/64358?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Caution
Changes requested ❌
Reviewed everything up to b3da35e in 1 minute and 33 seconds. Click for details.
- Reviewed
234lines of code in8files - Skipped
0files when reviewing. - Skipped posting
3draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. tests/adversarial/body_size_limit.rs:24
- Draft comment:
Consider replacing unwrap() with expect() to provide clearer error messages in the test, ensuring that test failures communicate the issue better. - Reason this comment was not posted:
Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 20% vs. threshold = 50% While expect() generally provides better error messages than unwrap(), this is a test file where the assertion already has a clear error message. The unwrap() is only used to get the status code, and if it fails, the test would fail with a panic that clearly indicates the response couldn't be obtained. The assert_eq! already has a descriptive message. This seems like a minor stylistic preference rather than a significant improvement. The comment does have merit since expect() is generally considered better practice than unwrap(). The change would make errors slightly more descriptive if the request fails to complete. However, the existing error handling is already adequate for a test file, with a clear assertion message. The suggested change would be a minor improvement at best. Delete the comment as it suggests a minor stylistic change that doesn't meaningfully improve the test's clarity or functionality.
2. tests/adversarial/main.rs:8
- Draft comment:
Ensure that the adversarial tests (including body size limits) are isolated and do not impact other integration tests, especially when using shared configuration. - Reason this comment was not posted:
Confidence changes required:50%<= threshold50%None
3. tests/adversarial/main.rs:8
- Draft comment:
Typo: Consider using "DDoS" instead of "DDOS" in the comment for consistency and correctness. - Reason this comment was not posted:
Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 10% vs. threshold = 50% While technically "DDoS" is the more common capitalization, this is an extremely minor stylistic issue in a comment. The meaning is completely clear either way. The rules explicitly state not to make purely informative comments that don't require code changes. This seems like unnecessary nitpicking. The correct capitalization could be considered part of maintaining professional documentation standards. Some teams might care about this level of consistency. The rules are very clear that we should not make purely informative comments. The meaning is clear regardless of capitalization, and this creates unnecessary noise in the review. Delete this comment as it's purely stylistic, doesn't affect functionality, and violates the rule about not making purely informative comments.
Workflow ID: wflow_Yn10b06uEbFwIS1U
You can customize 
|
|
||
| // Configure and build the server with HTTP support | ||
| let server = ServerBuilder::default() | ||
| .max_request_body_size(config.kora.max_request_body_size as u32) |
Contributor
There was a problem hiding this comment.
Casting max_request_body_size from usize to u32 assumes the value is within u32 bounds. Consider adding an explicit check or documenting the limitation.
amilz
approved these changes
Oct 9, 2025
Contributor
amilz
left a comment
amilz
left a comment
There was a problem hiding this comment.
agree the suggestion from ellips maekes sense but lgtm
dev-jodee
merged commit 8d4f172
into
release/feature-freeze-for-audit
13 of 14 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…erloading of the server
Important
Introduces a feature to cap request body size at 2 MB to prevent server overload, with configuration and tests to ensure compliance.
max_request_body_sizetoKoraConfiginconfig.rswith a default of 2 MB.server.rsto enforcemax_request_body_size.test_request_body_oversized_rejectedinbody_size_limit.rsto ensure oversized requests return 413.DEFAULT_MAX_REQUEST_BODY_SIZEinconstant.rsas 2 MB.body_size_limit.rsto test oversized request handling.config_mock.rsandtoml_mock.rsto supportmax_request_body_sizeconfiguration.config.rsto verify default and custommax_request_body_size.This description was created by
for b3da35e. You can customize this summary. It will automatically update as commits are pushed.
📊 Unit Test Coverage
Unit Test Coverage: 85.4%
View Detailed Coverage Report