Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request - request limitation #392

Open
stijnmoreels opened this issue Dec 11, 2019 · 2 comments · May be fixed by #502
Open

Feature request - request limitation #392

stijnmoreels opened this issue Dec 11, 2019 · 2 comments · May be fixed by #502
Labels
feature request Request to add new functionality help wanted Community contribution or any kind of help much appreciated PR approved A PR for this issue will get accepted (as long as inline with the comms)
Projects
Giraffe Kanban

Comments

@stijnmoreels
Copy link

Is your feature request related to a problem? Please describe.
Provide basic request limitations, in the context of a more secure/safe API implementations out of the box.

Describe the solution you'd like
Some extra middleware functions that limit requests based on header and body information, using the existing HTTP feature for the body size.

/// Functionality to limit HTTP requests based on header and body information.
[<AutoOpen>]
module Limit =
  /// Limits to only requests with one of the specified `Content-Type` headers,
  /// returning `406 NotAcceptable` when the request header doesn't exists in the set of specified types.
  let contentTypes contentTypes =
    fun next (ctx : HttpContext) ->
      match Option.ofObj ctx.Request.ContentType with
      | Some t when Seq.contains t contentTypes -> next ctx
      | Some _ -> RequestErrors.notAcceptable (text "request header 'Content-Type' doesn't had expected value") earlyReturn ctx
      | None -> RequestErrors.notAcceptable (text "expected to have request header 'Content-Type'") earlyReturn ctx

  /// Limits to only requests with a specific `Content-Type` header, 
  /// returning `406 NotAcceptable` when the request header value doesn't match the specified type.
  let contentType contentType = contentTypes [ contentType ]

  /// Limits request `Content-Length` header to a specified length, 
  /// returning `406 NotAcceptable` when no such header is present or the value exceeds the maximum specified length.
  let contentLength l =
    fun next (ctx : HttpContext) ->
      match Option.ofNullable (ctx.Request.GetTypedHeaders().ContentLength) with
      | Some v when v <= l ->  next ctx
      | Some _ -> RequestErrors.notAcceptable (text "request header 'Content-Length' is too large") earlyReturn ctx
      | None -> RequestErrors.notAcceptable (text "request doesn't contain 'Content-Length' header") earlyReturn ctx

  /// Limits the request body size to a specified length, returing `413 Payload Too Large` if the body size exceeds the specified maximum.
  let maxBodySize l =
    fun next (ctx : HttpContext) ->
      ctx.Features.Get<IHttpMaxRequestBodySizeFeature>().MaxRequestBodySize <- Nullable<_> l
      try next ctx
      with :? BadHttpRequestException as ex when ex.StatusCode = 413 ->
        (clearResponse >=> setStatusCode ex.StatusCode >=> text "request body too large") earlyReturn ctx

Is this too 'application-specific' to be added to Giraffe? I guess since we have a mustAccept core function, we could have some extra's as well. All in the context of having some boilerplate code to make the application more safer by default.
@dustinmoris
Copy link
Member

Hi, thanks for this suggestion. There could be value in exposing such extra handlers if they are generic enough. What are the typical checks that you can think of that you would like to add handlers for? Just the 3 from above or did you have more in mind?

@dustinmoris dustinmoris added the feature request Request to add new functionality label Apr 12, 2020
@stijnmoreels
Copy link
Author

Hi! They're could be more of course. These were just the ones I thought were the most valueable to add from an application security perspective.

@dustinmoris dustinmoris added help wanted Community contribution or any kind of help much appreciated PR approved A PR for this issue will get accepted (as long as inline with the comms) labels Apr 13, 2020
@dustinmoris dustinmoris added this to To do in Giraffe Kanban Dec 9, 2020
@stijnmoreels stijnmoreels linked a pull request Dec 31, 2021 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request Request to add new functionality help wanted Community contribution or any kind of help much appreciated PR approved A PR for this issue will get accepted (as long as inline with the comms)
Projects
Giraffe Kanban
To do
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add request limits on accept, content-type, and content-length headers stijnmoreels/Giraffe
2 participants
@dustinmoris @stijnmoreels