Add Oracle limit

[shargon]

No description provided.

[shargon]

@dotnet-policy-service agree

@shargon please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@dotnet-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@dotnet-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@dotnet-policy-service agree company="Microsoft"

Contributor License Agreement

[shargon]

@roman-khimov Please, could you take a look?

[erikzhang]

Is the response size of NeoFS also limited?

[AnnaShaleva]

Is the response size of NeoFS also limited?

It should be limited by the client, but currently it's not. So the problem exists for OracleNeoFSProtocol as far. The size of a single physical NeoFS object is limited by 64MB in mainnet\testnet, but there are large ("virtual") objects constructed from a set of small physical ones and these are almost unlimited.

The neofs-api-csharp Client is capable to handle such large "virtual" objects and doesn't restrict their maximum size:
https://github.com/neo-ngd/neofs-api-csharp/blob/82ca3de1d87c96a04bdf094c60c7c6039bbacf81/src/Neo.FileStorage.API/client/Client.Object.cs#L106-L123
OracleNeoFSProtocol uses both client.GetObject and client.GetObjectPayloadRangeData, reads object data from the stream and converts the potentially large result directly to string:

neo-modules/src/OracleService/Protocols/OracleNeoFSProtocol.cs

Lines 97 to 101 in 4e31068

	private static async Task<string> GetPayloadAsync(Client client, Address addr, CancellationToken cancellation)
	{
	Object obj = await client.GetObject(addr, options: new CallOptions { Ttl = 2 }, context: cancellation);
	return obj.Payload.ToString(Utility.StrictUTF8);
	}

and

neo-modules/src/OracleService/Protocols/OracleNeoFSProtocol.cs

Lines 103 to 108 in 4e31068

	private static async Task<string> GetRangeAsync(Client client, Address addr, string[] ps, CancellationToken cancellation)
	{
	if (ps.Length == 0) throw new FormatException("missing object range (expected 'Offset|Length')");
	Range range = ParseRange(ps[0]);
	var res = await client.GetObjectPayloadRangeData(addr, range, options: new CallOptions { Ttl = 2 }, context: cancellation);
	return Utility.StrictUTF8.GetString(res);

Preferred solution

Ideally, to solve this problem we need a change in the neofs-api-csharp Client's API to limit the amount of data that can be read from the stream. In neofs-sdk-go it is done by returning the ObjectReader structure so that it's the reader responsibility to restrict the amount of data that can be read from the underlying transmission channel: https://pkg.go.dev/github.com/nspcc-dev/neofs-sdk-go@v1.0.0-rc.8/client#Client.ObjectGetInit.

Another possible solution

Another way to solve this problem without neofs-api-csharp Client's API changes is to use GetObjectPayloadRangeData combined with manually pre-checked range lenght on the OracleNeoFSProtocol side for both GetObjectRange and GetObject operations. However, this way requires to access and check object headers firstly and is a "kludgy" way in general.

[AnnaShaleva]

We should also consider fixing OracleNeoFSProtocol wrt #800 (comment).

[AnnaShaleva]

We should probably adjust the exception handler of OracleService wrt this change. Currently if the responce content exceeds OracleResponse.MaxResultSize length, the exception will be thrown by message.Content.ReadAsStringAsync(...) method:

neo-modules/src/OracleService/Protocols/OracleHttpsProtocol.cs

Line 85 in 4e31068

return (OracleResponseCode.Success, await message.Content.ReadAsStringAsync(cancellation));

It will be catched by the following catch block:

neo-modules/src/OracleService/OracleService.cs

Lines 361 to 368 in 4e31068

	try
	{
	return await protocol.ProcessAsync(uri, ctsLinked.Token);
	}
	catch (Exception ex)
	{
	return (OracleResponseCode.Error, $"Request <{url}> Error:{ex.Message}");
	}

As a result, we'll have OracleResponseCode.Error code instead of OracleResponseCode.ResponseTooLarge which is more appropriate in this case. In neo-go we return OracleResponseCode.ResponseTooLarge in this case.

[shargon]

Which exception is throw?

[AnnaShaleva]

It's up to you to investigate which one. The documentation doesn't name it: https://learn.microsoft.com/en-us/dotnet/api/system.net.http.httpclient.maxresponsecontentbuffersize?view=net-8.0#remarks.

[shargon]

@superboyiii could you test it?

[superboyiii]

@superboyiii could you test it?

Sure

[superboyiii]

@superboyiii could you test it?

@shargon Due to my test result, the same as @AnnaShaleva said. We need solve it.

[ZhangTao1596]

We should also consider fixing OracleNeoFSProtocol wrt #800 (comment).

@AnnaShaleva @shargon There is a stream version GetObject here https://github.com/neo-ngd/neofs-api-csharp/blob/82ca3de1d87c96a04bdf094c60c7c6039bbacf81/src/Neo.FileStorage.API/client/Client.Object.cs#LL39C9-L39C9
We can limit read payload size in stream.

[roman-khimov]

The !message.Content.Headers.ContentLength.HasValue part of it may affect legitimate responses that fit the limit, but don't have the header for whatever reason (dynamically generated content, for example).

[shargon]

We can require this header

[roman-khimov]

That'd be an artificial limitation to me. It shouldn't be hard to handle !message.Content.Headers.ContentLength.HasValue case as well, NeoGo handles both cases easily.

[AnnaShaleva]

If response stream contains more than buffer.Length bytes, then it's an error and we need to return OracleResponseCode.ResponseTooLarge code. And if I'm not mistaken, the current code will just stop reading and return a part of the response with OracleResponseCode.Success code (which isn't the desired behaviour).

[AnnaShaleva]

Please, check the way how it's done in neo-go: https://github.com/nspcc-dev/neo-go/blob/7b86a54fc0dd918a2514b0108be986a6e2cc63fa/pkg/services/oracle/response.go#L71-L82

[shargon]

Please, check it again

[AnnaShaleva]

This part LGTM, resolved.

[AnnaShaleva]

@shargon, could you also consider fixing the same problem for OracleNeoFSProtocol as @ZhangTao1596 suggested? #800 (comment)

[AnnaShaleva]

LGTM!

[shargon]

@superboyiii could you test it?

[superboyiii]

@superboyiii could you test it?

I'm ing...

[superboyiii]

Request: https://api.github.com/users?since=800&per_page=1000

Works as expected!