feat(http): add SizeLimitHandler to enforce request body size limit

[bladehan1]

What does this PR do?

Add Jetty SizeLimitHandler at the server handler level to enforce request body size limits for all HTTP and JSON-RPC endpoints. Oversized requests are rejected with HTTP 413 before the body is fully buffered into memory.

• Introduce node.http.maxMessageSize and node.jsonrpc.maxMessageSize as independent, configurable size limits
• Default: GrpcUtil.DEFAULT_MAX_MESSAGE_SIZE (4 MB), consistent with gRPC defaults
• Wire SizeLimitHandler into HttpService.initContextHandler() as the outermost handler
• Each HttpService subclass (4 HTTP + 3 JSON-RPC) sets maxRequestSize from the corresponding config getter
• Deprecate Util.checkBodySize() — retained as fallback for backward compatibility

Why are these changes required?

Previously, HTTP request body size was only validated at the application layer (Util.checkBodySize()), which reads the entire body into memory before checking. The JSON-RPC interface had no size validation at all. This allows an attacker to send arbitrarily large payloads, causing OOM and denial of service.

Moving the limit to the Jetty handler chain provides:

1. Early rejection — oversized requests are stopped before reaching servlet code
2. Streaming enforcement — limits are enforced during read, not after full buffering
3. Unified coverage — all HTTP and JSON-RPC endpoints are protected by a single mechanism
4. Independent tuning — operators can configure HTTP and JSON-RPC limits separately

Closes #6604

This PR has been tested by:

• Unit Tests (SizeLimitHandlerTest: boundary, independent limits, UTF-8 byte counting)
• Unit Tests (ArgsTest: default value alignment)

Follow up

• Remove Util.checkBodySize() callers in a follow-up PR once this is stable
• Compression bomb (gzip decompression) protection is a separate concern, tracked independently

Extra details

Files changed: 14 (+253 / -2)

Component	Changes
HttpService	Add maxRequestSize field, wire SizeLimitHandler in initContextHandler()
Args / ConfigKey / CommonParameter	Parse node.http.maxMessageSize and node.jsonrpc.maxMessageSize
7 service subclasses	Set maxRequestSize from protocol-specific getter in constructor
Util.checkBodySize()	Mark @Deprecated
SizeLimitHandlerTest	New: 8 tests covering HTTP/JSON-RPC limits, boundary, UTF-8, independence
ArgsTest	Align assertions with 4 MB defaults

[xxo1shine]

@bladehan1 One observation on the config validation in Args.java: the guard currently rejects <= 0 values with TronError, but there is no upper-bound check. An operator who accidentally sets node.http.maxMessageSize = 2147483647 would silently run with a 2 GB limit. Adding a reasonable maximum (e.g. 128 MB) with an explicit warn-or-throw would make misconfiguration more visible.

[bladehan1]

@xxo1shine
Thanks for the review. I think that when users manually configure values, it's unnecessary to set all boundaries except for error-prone values. Especially for values ​​that are obviously likely to have problems, setting boundaries is unnecessary.

[lxcmyf]

Marking this helper as deprecated does not make the new HTTP limit effective yet. PostParams.getPostParams() and many servlets still call Util.checkBodySize(), and that method is still enforcing parameter.getMaxMessageSize() (the gRPC limit), not httpMaxMessageSize. So any request whose body is > node.rpc.maxMessageSize but <= node.http.maxMessageSize will pass Jetty and then still be rejected in the servlet layer, which means the new independent HTTP setting is not actually honored for a large part of the API surface.

[bladehan1]

Good catch, thanks. checkBodySize() has been updated to use parameter.getHttpMaxMessageSize() instead of parameter.getMaxMessageSize(), so the servlet-layer fallback now honors the independent HTTP limit. See the latest push.

[lxcmyf]

This moves oversized-request handling in front of every servlet, so those requests never reach RateLimiterServlet.service() / Util.processError(). Today the HTTP APIs consistently set application/json and serialize failures through Util.printErrorMsg(...); after this change an over-limit body gets Jetty's default 413 response instead. That is a client-visible behavior change for existing callers, and the new test only checks status codes so it would not catch the response-format regression.

[bladehan1]

Thanks for flagging the response-format difference. I did a detailed comparison:

Before (checkBodySize rejection):

• HTTP status: 200 OK (processError() does not set status code)
• Body: {"Error":"java.lang.Exception : body size is too big, the limit is 4194304"}

After (SizeLimitHandler rejection):

• HTTP status: 413 Payload Too Large
• Body: Jetty default error page (non-JSON)

The format is indeed not fully compatible, but I believe this is acceptable:

1. The existing behavior is itself incorrect — returning 200 OK with an error JSON body violates HTTP semantics. Clients that only check status codes would incorrectly treat the oversized request as successful. The new 413 is the proper HTTP response for this scenario.

2. The trigger threshold is very high — default is 4 MB. Normal API requests are far below this. Only abnormal or malicious payloads hit this limit, so the impact surface is negligible for legitimate clients.

3. 413 is a standard HTTP status code — all HTTP client libraries handle it correctly. Clients already need to handle non-JSON infrastructure errors (e.g., Jetty 503, proxy 502/504).

4. The new layer provides a real security benefit — SizeLimitHandler rejects during streaming, before the body is fully buffered into memory, which is the core OOM protection. Falling back to application-layer formatting would defeat this purpose.

[waynercheung]

SizeLimitHandler only guarantees a pre-servlet 413 when Content-Length is known. For chunked / unknown-length requests, enforcement happens while downstream code is reading the request body. In the current codebase many HTTP handlers catch broad Exception around request.getReader(), and RateLimiterServlet also catches unexpected Exception, so the streaming over-limit exception can be absorbed before Jetty turns it into a 413. That means the PR still does not prove the “uniform 413” behavior described in the issue for requests without Content-Length.

[waynercheung]

these tests all use StringEntity, so they exercise the fixed-length / Content-Length path only. They do not cover chunked or unknown-length requests, where SizeLimitHandler enforces during body reads instead of before servlet dispatch. Since the existing servlet chain has broad catch (Exception) blocks, we need at least one end-to-end test for the streaming path against a real HTTP servlet and the JSON-RPC servlet, and it should assert that an oversized request still surfaces as HTTP 413

[waynercheung]

The new config validation rejects non-positive values, but extremely large limits are still accepted silently. I don’t think a hard cap is mandatory, but at least warning on suspiciously large values would make misconfiguration easier to catch.