Reject requests exceeding a size limit

[gquemener]

Description
The idea of this feature lies on the following OWASP recommendation:

Define an appropriate request size limit and reject requests exceeding the limit with HTTP response status 413 Request Entity Too Large

After discussion with @dunglas about implementing this feature in the api-platform project, the subject of implementing it directly in Symfony has been brought.

In my opinion, this feature makes sense in, but is not limited to, a Rest API context, so it'd make sense to implement it in the Symfony HttpKernel component. However, one could argue that this is a security related feature that should live in the Security component.

The implementation would rely on a kernel.request event listener configured with a request content max size (defaulting to ini_get('post_max_size')). Comparison would then be performed against the Content-Length request header. Here's a gist showing how it could look like.

The fact is that it must be implemented smartly in order not to conflict with the existing handling of request size exceeding in the Symfony Form component.

This feature could be disabled by default, for example.
It could be enablable on a global scope, on a route scope, on a pattern scope, ... The choices are quite wide.

Unlike how it's made in the Symfony Form component, I believe it makes sense to perform this check no matter which HTTP method is used.

Finally, unless duplicating this logic in the component which would welcome this feature, we should think about how to extract it in a common package (maybe a new php-directive package which would perform ini_get calls and value normalizations).

Thank you for your time and sharing thoughts about this,
Regards.

Example

Enabling globaly

framework:
    prevent_content_length_exceeding: true
    max_content_length: 10M

Enabling on a route

routes:
    index:
        path: /
        prevent_content_length_exceeding: true
        max_content_length: 10M

[javiereguiluz]

I'd like to ask you why do you think we should add this feature to Symfony instead of solving it in the web server (client_max_body_size option in nginx or LimitRequestBody directive in Apache) or in PHP (post_max_size option). Thanks!

[gquemener]

Hello,

Thanks for pointing out these options.

Indeed this behaviour could be enforced on the web server side, just like many other behaviors (routing could also be done in web server configuration for instance).

I see a few limitations to configuring this in the web server though.

First, it's non portable (changing web server will require to manually port the configurations).
Furthermore, one will not have as much control as needed on the response format (one could want to use the JSON problem format for instance).

Nginx will always return html for instance (I haven't digged too much here, there's probably a way to tweak the nginx errors format though):

> POST / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.59.0
> Content-Type: application/json
> Accept: application/json
> Content-Length: 13
> 

< HTTP/1.1 413 Request Entity Too Large
< Server: nginx/1.10.3
< Date: Sun, 13 May 2018 08:35:02 GMT
< Content-Type: text/html
< Content-Length: 199
< Connection: close
< 
<html>
<head><title>413 Request Entity Too Large</title></head>
<body bgcolor="white">
<center><h1>413 Request Entity Too Large</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>

And with Apache:

> POST / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.59.0
> Content-Type: application/json
> Accept: application/json
> Content-Length: 13
>

< HTTP/1.1 413 Request Entity Too Large
< Date: Sun, 13 May 2018 08:52:42 GMT
< Server: Apache/2.4.33 (Unix)
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/index.html<br />
does not allow request data with POST requests, or the amount of data provided in
the request exceeds the capacity limit.
</body></html>

In PHP, the result of exceeding the post_max_size value is to empty the $_POST and $_FILES superglobals, not to return a 413 response.

The purpose of this feature, in Symfony, would be to bring this behaviour at the PHP level and to benefit from response format customization, application error logging, fine-grained max request size configuration and probably other points I don't see right now.

[nicolas-grekas]

Is it possible to implement this at all? Both the webserver and PHP are sitting in front of Symfony so that we come too late in the process to do anything about it, don't we?

[gquemener]

Well, in French we have a saying: "Mieux vaut tard que jamais !" (better late than never).

Indeed, the size exceeding request would go through the web server and php, before hitting the Symfony request listener, but at least a 413 would be returned in the end.

Have you seen the implementation example I've shared in my initial message @nicolas-grekas ?

[jvasseur]

The OWASP recommendations are to reject requests that exceed a certain size because it takes time to process them, it you do it to late (in Symfony) you lose all the benefits of rejecting requests that are to big.

In some cases (maybe even all cases) PHP will read the full request before passing it to the the PHP script, putting a restriction in the size of the request after it is completely read doesn't bring any value.

[gquemener]

Thanks for your insights.

However, it does bring a value on the client-side to inform it of what went wrong and correct the next requests, don't you think?

On the performance point of view,
I may be wrong, but the request content would be read once, by the web server (no matter where you put the size restriction), which will set the request Content-Length header. PHP will then base its post_max_size comparison on this header, as well as the Symfony request listener. ⚠️ This is highly based on assumption and requires some more proof (if anyone has facts about this, I'd be glad if you could share them, thanks)

I could work on a "web server configuration vs symfony listener request payload detection benchmark".

[jvasseur]

The thing is, if it's the web server or PHP that manage the size limit of the request, it can stop reading it and return an error as soon as it goes over the limit, if it's done in a PHP script, the request will be fully read anyway which is bad for security.

BTW the Content-Length header is set by the browser, not the web server (except for chunked request where it is not set at all).

[nicolas-grekas]

OK, so for some specific set of content-type + HTTP verb, Symfony does read the raw stream, using php://input. For other cases (file upload and POSTs), PHP or the webserver will completly bypass the Symfony app and reply on their own, without giving the app any chance to do anything (which is a good thing for security.)

I suppose you're talking about these cases where php://input is read.
Why not then, PR welcome :)

[gquemener]

BTW the Content-Length header is set by the browser, not the web server

Interesting, I didn't know that, thanks.

I guess it's not safe to rely on this value then, but better rely on a strlen($request->getContent()) or fstat($request->getContent(true))['size'] call, isn't it?

The thing is that both getContent solution will read the entire content, not solving the security/performance issue then 🤔

OK, so for some specific set of content-type + HTTP verb, Symfony does read the raw stream, using php://input. For other cases (file upload and POSTs), PHP or the webserver will completly bypass the Symfony app and reply on their own, without giving the app any chance to do anything (which is a good thing for security.)

Sorry, I'm not sure I understand correctly what you mean. Could you provide some examples of this specific set, please?
I believe the webserver configuration directives that @javiereguiluz has pointed out will return a 413 no matter which HTTP verbs or Content-Type is used.
Could you show me an example of PHP configuration to reply with a 413 in case of request body size exceeding post_max_size please?

Why not then, PR welcome :)

With pleasure :)

[nicolas-grekas]

This is getting abstract to me. @dunglas since you're mentioned, I'd be happy to gather your hints here. This would need to be put into practice so that we're sure we're talking about something that we can actually acted upon.

[dunglas]

IMO it's better to do this check at the Nginx level. There are anyway 2 benefits of doing it at Symfony's level:

• It allows to display a nicer error message to the client, and to trigger any log system
• Sometimes you don't have access to the Nginx or Apache configuration

It's indeed less efficient than doing it at the web server level, but anyway reading the input is often not the operation consuming most resources. For an API for instance, it's the deserialization process that is expensive.

According to https://stackoverflow.com/questions/45249519/how-to-get-php-input-size, checking $_SERVER['CONTENT_LENGTH'] should be enough.

[jvasseur]

The $_SERVER['CONTENT_LENGTH'] is not enough since it's not set in the case of Transfer-Encoding: chunked requests.

[fabpot]

The check must be done at the web server/PHP level to be efficient. As already mentioned, doing it in Symfony is too late.