Respond with status code 413 if request body is too large (#6936)

repsac-by · Rich-Harris · web-flow · commit 737160d88cd9 · 2022-09-21T12:44:24.000-04:00
* Respond with status code 413 if request body is too large

* Use the error method

* Prevent arbitrary error messages from reaching users

* Create strong-baboons-travel.md

* Create five-tools-arrive.md

Co-authored-by: Rich Harris &lt;hello@rich-harris.dev&gt;
diff --git a/.changeset/five-tools-arrive.md b/.changeset/five-tools-arrive.md
@@ -0,0 +1,7 @@
+---
+"@sveltejs/adapter-node": patch
+"@sveltejs/adapter-vercel": patch
+"@sveltejs/kit": patch
+---
+
+Redact error message if `getRequest` fails
diff --git a/.changeset/strong-baboons-travel.md b/.changeset/strong-baboons-travel.md
@@ -0,0 +1,5 @@
+---
+"@sveltejs/kit": patch
+---
+
+Respond with 413 if request body is too large
diff --git a/packages/adapter-node/src/handler.js b/packages/adapter-node/src/handler.js
@@ -56,7 +56,7 @@ const ssr = async (req, res) => {
 		});
 	} catch (err) {
 		res.statusCode = err.status || 400;
-		res.end(err.reason || 'Invalid request body');
+		res.end('Invalid request body');
 		return;
 	}
 
diff --git a/packages/adapter-vercel/files/serverless.js b/packages/adapter-vercel/files/serverless.js
@@ -23,7 +23,7 @@ export default async (req, res) => {
 		request = await getRequest({ base: `https://${req.headers.host}`, request: req });
 	} catch (err) {
 		res.statusCode = err.status || 400;
-		return res.end(err.reason || 'Invalid request body');
+		return res.end('Invalid request body');
 	}
 
 	setResponse(
diff --git a/packages/kit/src/exports/node/index.js b/packages/kit/src/exports/node/index.js
@@ -1,4 +1,5 @@
 import * as set_cookie_parser from 'set-cookie-parser';
+import { error } from '../index.js';
 
 /**
  * @param {import('http').IncomingMessage} req
@@ -27,7 +28,8 @@ function get_raw_body(req, body_size_limit) {
 		if (!length) {
 			length = body_size_limit;
 		} else if (length > body_size_limit) {
-			throw new Error(
+			throw error(
+				413,
 				`Received content-length of ${length}, but only accept up to ${body_size_limit} bytes.`
 			);
 		}
@@ -45,6 +47,7 @@ function get_raw_body(req, body_size_limit) {
 	return new ReadableStream({
 		start(controller) {
 			req.on('error', (error) => {
+				cancelled = true;
 				controller.error(error);
 			});
 
@@ -58,8 +61,10 @@ function get_raw_body(req, body_size_limit) {
 
 				size += chunk.length;
 				if (size > length) {
-					req.destroy(
-						new Error(
+					cancelled = true;
+					controller.error(
+						error(
+							413,
 							`request body size exceeded ${
 								content_length ? "'content-length'" : 'BODY_SIZE_LIMIT'
 							} of ${length}`
diff --git a/packages/kit/src/exports/vite/dev/index.js b/packages/kit/src/exports/vite/dev/index.js
@@ -397,7 +397,7 @@ export async function dev(vite, vite_config, svelte_config) {
 					});
 				} catch (/** @type {any} */ err) {
 					res.statusCode = err.status || 400;
-					return res.end(err.message || 'Invalid request body');
+					return res.end('Invalid request body');
 				}
 
 				const template = load_template(cwd, svelte_config);
diff --git a/packages/kit/src/exports/vite/preview/index.js b/packages/kit/src/exports/vite/preview/index.js
@@ -137,7 +137,7 @@ export async function preview(vite, vite_config, svelte_config) {
 				});
 			} catch (/** @type {any} */ err) {
 				res.statusCode = err.status || 400;
-				return res.end(err.message || 'Invalid request body');
+				return res.end('Invalid request body');
 			}
 
 			setResponse(

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ const ssr = async (req, res) => {`
`56`	`56`	`});`
`57`	`57`	`} catch (err) {`
`58`	`58`	`res.statusCode = err.status \|\| 400;`
`59`		`- res.end(err.reason \|\| 'Invalid request body');`
	`59`	`+ res.end('Invalid request body');`
`60`	`60`	`return;`
`61`	`61`	`}`
`62`	`62`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ export default async (req, res) => {`
`23`	`23`	request = await getRequest({ base: `https://${req.headers.host}`, request: req });
`24`	`24`	`} catch (err) {`
`25`	`25`	`res.statusCode = err.status \|\| 400;`
`26`		`- return res.end(err.reason \|\| 'Invalid request body');`
	`26`	`+ return res.end('Invalid request body');`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`setResponse(`
Original file line number	Diff line number	Diff line change
`@@ -397,7 +397,7 @@ export async function dev(vite, vite_config, svelte_config) {`
`397`	`397`	`});`
`398`	`398`	`} catch (/** @type {any} */ err) {`
`399`	`399`	`res.statusCode = err.status \|\| 400;`
`400`		`- return res.end(err.message \|\| 'Invalid request body');`
	`400`	`+ return res.end('Invalid request body');`
`401`	`401`	`}`
`402`	`402`
`403`	`403`	`const template = load_template(cwd, svelte_config);`
Original file line number	Diff line number	Diff line change
`@@ -137,7 +137,7 @@ export async function preview(vite, vite_config, svelte_config) {`
`137`	`137`	`});`
`138`	`138`	`} catch (/** @type {any} */ err) {`
`139`	`139`	`res.statusCode = err.status \|\| 400;`
`140`		`- return res.end(err.message \|\| 'Invalid request body');`
	`140`	`+ return res.end('Invalid request body');`
`141`	`141`	`}`
`142`	`142`
`143`	`143`	`setResponse(`