Skip to content


Subversion checkout URL

You can clone with
Download ZIP


MaxDataSize in bodyParser #264

cjoudrey opened this Issue · 4 comments

3 participants


I suggest we add a way to specify the max data size allowed in the bodyParser middleware.

For instance, if you to limit to 1MB data: bodyParser(1024 * 1024)

The idea is to prevent potential DoS attacks.

If you know your form shouldn't be receiving more than 1MB of data, we should set that limit.

If someone tries to submit more than that amount, the connection will simply be killed and ignored.

Imagine the situation where someone maliciously passes a POST request with millions of keys or even worse a JSON with millions of keys.


tj commented

check out the limit() middleware. it would be greatly improved, but from my bit of research within node and asking Ryan it seems like at the moment there is no reasonable way to respond in such a case, all you can do is close the socket. If you respond with some fancy page or nice message saying "hey you're request is to big" (which is in some cases legit) the watcher is still busy emitting "data" events. I havent looked into it tons though, I'm sure it's possible with libev, im not happy with the current solution, and I need to add a check for the Content-Length in there


Thanks for pointing out limit() I totally missed it.

That being said shouldn't this be included within the bodyParser or perhaps heavily suggested in Connect/Express' guide?

tj commented

I just tried again, it seems that pausing EV_READ does work, however when paused it seems like res.end() does not work, haven't debugged it or anything but seems a little odd, ideally we could just pause the read end and still write some kind of useful message for legit requests from old ladies trying to upload massive RAW images etc haha

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.