Merge pull request Kong#292 from Mashape/size_limiting_plugin

Request size limiting plugin

Former-commit-id: 759ab37dbb9a71b257a46d88ecb0d13e1137cc14

kong-0.3.0-1.rockspec

@@ -118,6 +118,10 @@ build = {
     ["kong.plugins.ratelimiting.handler"] = "kong/plugins/ratelimiting/handler.lua",
     ["kong.plugins.ratelimiting.access"] = "kong/plugins/ratelimiting/access.lua",
     ["kong.plugins.ratelimiting.schema"] = "kong/plugins/ratelimiting/schema.lua",
+
+    ["kong.plugins.requestsizelimiting.handler"] = "kong/plugins/requestsizelimiting/handler.lua",
+    ["kong.plugins.requestsizelimiting.access"] = "kong/plugins/requestsizelimiting/access.lua",
+    ["kong.plugins.requestsizelimiting.schema"] = "kong/plugins/requestsizelimiting/schema.lua",
 
     ["kong.plugins.request_transformer.handler"] = "kong/plugins/request_transformer/handler.lua",
     ["kong.plugins.request_transformer.access"] = "kong/plugins/request_transformer/access.lua",

kong.yml

@@ -11,6 +11,7 @@ plugins_available:
   - cors
   - request_transformer
   - response_transformer
+  - requestsizelimiting
 
 ## The Kong working directory
 ## (Make sure you have read and write permissions)
@@ -91,7 +92,7 @@ nginx: |
     real_ip_recursive on;
 
     # Other Settings
-    client_max_body_size 128m;
+    client_max_body_size 0;
     underscores_in_headers on;
     reset_timedout_connection on;
     tcp_nopush on;

kong/plugins/requestsizelimiting/access.lua

@@ -0,0 +1,24 @@
+local stringy = require "stringy"
+local response = require "kong.tools.responses"
+
+local _M = {}
+
+
+-- Request size limiting, rejects request if payload size is greater than allowed size
+--
+-- All methods must respect:
+-- @param `conf` Configuration table
+-- @return `response` contains response code and error message
+function _M.execute(conf)
+  local headers = ngx.req.get_headers()
+  local allowed_bytes_size = conf.allowed_payload_size * 100000
+  if tonumber(headers["content-length"]) > allowed_bytes_size then
+    if headers.expect and stringy.strip(headers.expect:lower()) == "100-continue" then
+      return response.send(417, "Request size limit exceeded")
+    else
+      return response.send(413, "Request size limit exceeded")
+    end
+  end
+end
+
+return _M

kong/plugins/requestsizelimiting/handler.lua

@@ -0,0 +1,19 @@
+-- Copyright (C) Mashape, Inc.
+
+local BasePlugin = require "kong.plugins.base_plugin"
+local access = require "kong.plugins.requestsizelimiting.access"
+
+local RequestSizeLimitingHandler = BasePlugin:extend()
+
+function RequestSizeLimitingHandler:new()
+  RequestSizeLimitingHandler.super.new(self, "requestsizelimiting")
+end
+
+function RequestSizeLimitingHandler:access(conf)
+  RequestSizeLimitingHandler.super.access(self)
+  access.execute(conf)
+end
+
+RequestSizeLimitingHandler.PRIORITY = 950
+
+return RequestSizeLimitingHandler

kong/plugins/requestsizelimiting/schema.lua

@@ -0,0 +1,3 @@
+return {
+  allowed_payload_size = { default = 128, type = "number" }
+}

spec/plugins/request_size_limiting_spec.lua

@@ -0,0 +1,54 @@
+local spec_helper = require "spec.spec_helpers"
+local http_client = require "kong.tools.http_client"
+
+local STUB_POST_URL = spec_helper.STUB_POST_URL
+
+describe("RequestSizeLimiting Plugin", function()
+
+  setup(function()
+    spec_helper.prepare_db()
+    spec_helper.insert_fixtures {
+      api = {
+        { name = "tests requestsizelimiting 1", public_dns = "test3.com", target_url = "http://mockbin.com/request" }
+      },
+      plugin_configuration = {
+        { name = "requestsizelimiting", value = {allowed_payload_size = 10}, __api = 1 }
+      }
+    }
+
+    spec_helper.start_kong()
+  end)
+
+  teardown(function()
+    spec_helper.stop_kong()
+  end)
+
+  describe("With request size less than allowed limit", function()
+    it("should be allowed", function()
+      local response, status = http_client.post(STUB_POST_URL, {key = "This is a test string"}, { host = "test3.com", ['Content-Length'] = "24", Expect = "100-continue", ['Content-Type'] = "application/x-www-form-urlencoded" } )
+      assert.are.equal(200, status)
+    end)
+  end)
+
+  describe("With request size greater than allowed limit", function()
+    it("should get blocked", function()
+      local response, status = http_client.post(STUB_POST_URL, {key = "This is a long test string"}, { host = "test3.com", ['Content-Length'] = "12000000", Expect = "100-continue", ['Content-Type'] = "application/x-www-form-urlencoded" } )
+      assert.are.equal(417, status)
+    end)
+  end)
+
+  describe("With request size greater than allowed limit but no expect header", function()
+    it("should get blocked", function()
+      local response, status = http_client.post(STUB_POST_URL, {key = "This is a long test string"}, { host = "test3.com", ['Content-Length'] = "12000000", ['Content-Type'] = "application/x-www-form-urlencoded" } )
+      assert.are.equal(413, status)
+    end)
+  end)
+
+  describe("With request size less than allowed limit but no expect header", function()
+    it("should be allowed", function()
+      local response, status = http_client.post(STUB_POST_URL, {key = "This is a test string"}, { host = "test3.com", ['Content-Length'] = "24", ['Content-Type'] = "application/x-www-form-urlencoded" } )
+      assert.are.equal(200, status)
+    end)
+  end)
+
+end)

spec/unit/statics_spec.lua

@@ -51,6 +51,7 @@ plugins_available:
   - cors
   - request_transformer
   - response_transformer
+  - requestsizelimiting
 
 ## The Kong working directory
 ## (Make sure you have read and write permissions)
@@ -131,7 +132,7 @@ nginx: |
     real_ip_recursive on;
 
     # Other Settings
-    client_max_body_size 128m;
+    client_max_body_size 0;
     underscores_in_headers on;
     reset_timedout_connection on;
     tcp_nopush on;