fix(proxy): fail closed on unsafe Apps Script uploads#1365
Open
maybeknott wants to merge 1 commit into
Open
Conversation
Apps Script receives relay requests as fully materialized HTTP bodies before script code can inspect, stream, or reject them. A mutating upload with an oversized body, chunked transfer encoding, or no declared Content-Length cannot be bounded reliably once it has entered the Apps Script execution path. The local proxy now enforces that boundary before reading or forwarding the body. The Apps Script proxy path now defines a conservative 5 MiB request-body ceiling for mutating methods. POST, PUT, and PATCH requests are rejected when Content-Length exceeds that ceiling, when Transfer-Encoding includes chunked, or when Content-Length is absent. Non-mutating requests are ignored by this policy, and malformed Content-Length parsing remains delegated to the existing body parser so unrelated request-validation behavior is unchanged. The HTTPS MITM relay path applies the guard immediately after parsing the request head and before read_body can buffer application bytes. The plain HTTP relay path receives the current runtime mode and applies the same guard only in apps_script mode. Rejected requests receive a local HTTP/1.1 413 Payload Too Large response with Connection: close and a short body explaining the Apps Script 5 MiB limit. The user guide now documents the visible 413 behavior in both English and Persian so operators understand that this is a client-side safety boundary for Apps Script mode rather than an upstream server failure. Focused proxy tests cover allowed small mutating requests, ignored non-mutating requests, oversized Content-Length rejection, chunked mutating upload rejection, missing-length mutating upload rejection, and the HTTPS MITM path returning 413 before body bytes are required.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Apps Script receives relay requests as fully materialized HTTP bodies before script code can inspect, stream, or reject them. A mutating upload with an oversized body, chunked transfer encoding, or no declared Content-Length cannot be bounded reliably once it has entered the Apps Script execution path. The local proxy now enforces that boundary before reading or forwarding the body.
The Apps Script proxy path now defines a conservative 5 MiB request-body ceiling for mutating methods. POST, PUT, and PATCH requests are rejected when Content-Length exceeds that ceiling, when Transfer-Encoding includes chunked, or when Content-Length is absent. Non-mutating requests are ignored by this policy, and malformed Content-Length parsing remains delegated to the existing body parser so unrelated request-validation behavior is unchanged.
The HTTPS MITM relay path applies the guard immediately after parsing the request head and before read_body can buffer application bytes. The plain HTTP relay path receives the current runtime mode and applies the same guard only in apps_script mode. Rejected requests receive a local HTTP/1.1 413 Payload Too Large response with Connection: close and a short body explaining the Apps Script 5 MiB limit.
The user guide now documents the visible 413 behavior in both English and Persian so operators understand that this is a client-side safety boundary for Apps Script mode rather than an upstream server failure.
Focused proxy tests cover allowed small mutating requests, ignored non-mutating requests, oversized Content-Length rejection, chunked mutating upload rejection, missing-length mutating upload rejection, and the HTTPS MITM path returning 413 before body bytes are required.