shreemaan-abhishek opened a new pull request, #13466:
URL: https://github.com/apache/apisix/pull/13466

   ### Description
   
   When `forward-auth` is configured with `request_method = "POST"`, the plugin 
reads the entire client request body into memory via `core.request.get_body()` 
to forward it to the external authorization service, with no upper bound. A 
client can send a very large body and force the worker to buffer it in full.
   
   This adds a `max_req_body_size` option (integer, default `1048576` = 1 MiB, 
minimum `1`) that is passed to `core.request.get_body(conf.max_req_body_size)`. 
When the request body exceeds the limit, the request is rejected with `413` 
instead of being buffered without bound. The default matches the default 
`client_max_body_size`, so requests that work under the default configuration 
are unaffected.
   
   Docs and e2e tests (oversized body rejected with 413, body within the limit 
forwarded and authorized) are included.
   
   #### Which issue(s) this PR fixes:
   
   Fixes #
   
   ### Checklist
   
   - [x] I have explained the need for this PR and the problem it solves
   - [x] I have explained the changes or the new features added to this PR
   - [x] I have added tests corresponding to this change
   - [x] I have updated the documentation to reflect this change
   - [x] I have verified that this change is backward compatible
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to