Content encoding gzip

CHANGELOG.md

@@ -1,3 +1,13 @@
+## 1.9.3-beta.8
+
+- `APIServerConfig`, `APIServerWorker`, `APIServer`:
+  - Add `maxPayloadLength` and `decompressPayload` options for request handling.
+
+- `APIServer`:
+  - `_loadPayloadBytes`:
+    - Added support for compressed payload in gzip and deflate.
+    - Added `_decodePayloadGzip` to handled GZip decompression and check the decompressed size in header before decompression. 
+
 ## 1.9.3-beta.7
 
 - `GenericEntityHandler`, `ClassReflectionEntityHandler`:

lib/src/bones_api_base.dart

@@ -42,7 +42,7 @@ typedef APILogger = void Function(APIRoot apiRoot, String type, String? message,
 /// Bones API Library class.
 class BonesAPI {
   // ignore: constant_identifier_names
-  static const String VERSION = '1.9.3-beta.7';
+  static const String VERSION = '1.9.3-beta.8';
 
   static bool _boot = false;
 

lib/src/bones_api_server.dart

@@ -124,6 +124,23 @@
   /// The maximum `Content-Length` (in bytes) allowed for a cached [Response]. Default: 10M
   final int staticFilesCacheMaxContentLength;
 
+  /// The maximum allowed request payload size in bytes.
+  ///
+  /// If set, any request with a payload larger than this value will be
+  /// rejected with a 500 Bad Request response.
+  ///
+  /// Default: null (no size limit).
+  final int? maxPayloadLength;
+
+  /// Whether to decompress the request payload if it is compressed using
+  /// a supported `Content-Encoding` (e.g., gzip or deflate).
+  ///
+  /// If `true`, the payload will be automatically decompressed before processing.
+  /// If `false`, compressed payloads will be left as-is.
+  ///
+  /// Default: false.
+  final bool decompressPayload;
+
   /// If `true` log messages to [stdout] (console).
   late final bool logToConsole;
 
@@ -164,6 +181,8 @@
     bool? cacheStaticFilesResponses,
     int? staticFilesCacheMaxMemorySize,
     int? staticFilesCacheMaxContentLength,
+    this.maxPayloadLength,
+    this.decompressPayload = false,
     this.apiConfig,
     bool? logToConsole,
     bool? logQueue,
@@ -260,6 +279,9 @@
     var staticFilesCacheMaxContentLength =
         a.optionAsInt('static-files-cache-max-content-length');
 
+    var maxPayloadLength = a.optionAsInt('max-payload-length');
+    var decompressPayload = a.flag('decompress-payload');
+
     var logToConsole = a.flagOr('log-toConsole', null);
 
     var logQueue = a.flagOr('log-queue', null);
@@ -308,6 +330,8 @@
       cacheStaticFilesResponses: cacheStaticFilesResponses,
       staticFilesCacheMaxMemorySize: staticFilesCacheMaxMemorySize,
       staticFilesCacheMaxContentLength: staticFilesCacheMaxContentLength,
+      maxPayloadLength: maxPayloadLength,
+      decompressPayload: decompressPayload,
       serverResponseDelay: serverResponseDelay,
       apiConfig: apiConfig,
       logToConsole: logToConsole,
@@ -697,6 +721,8 @@
         'cacheStaticFilesResponses': cacheStaticFilesResponses,
         'staticFilesCacheMaxMemorySize': staticFilesCacheMaxMemorySize,
         'staticFilesCacheMaxContentLength': staticFilesCacheMaxContentLength,
+        'maxPayloadLength': maxPayloadLength,
+        'decompressPayload': decompressPayload,
         'logToConsole': logToConsole,
         'logQueue': logQueue,
         if (args.isNotEmpty) 'args': args.toList(),
@@ -720,6 +746,8 @@
       apiCacheControl: json['apiCacheControl'],
       staticFilesCacheControl: json['staticFilesCacheControl'],
       cacheStaticFilesResponses: json['cacheStaticFilesResponses'],
+      maxPayloadLength: json['maxPayloadLength'],
+      decompressPayload: json['decompressPayload'],
       logToConsole: json['logToConsole'],
       logQueue: json['logQueue'],
       args: json['args'],
@@ -767,6 +795,8 @@
     super.cacheStaticFilesResponses,
     super.staticFilesCacheMaxMemorySize,
     super.staticFilesCacheMaxContentLength,
+    super.maxPayloadLength,
+    super.decompressPayload,
     super.serverResponseDelay,
     super.logToConsole,
     super.logQueue,
@@ -796,6 +826,8 @@
               apiServerConfig.staticFilesCacheMaxMemorySize,
           staticFilesCacheMaxContentLength:
               apiServerConfig.staticFilesCacheMaxContentLength,
+          maxPayloadLength: apiServerConfig.maxPayloadLength,
+          decompressPayload: apiServerConfig.decompressPayload,
           serverResponseDelay: apiServerConfig.serverResponseDelay,
           logToConsole: apiServerConfig.logToConsole,
           logQueue: apiServerConfig.logQueue,
@@ -912,6 +944,8 @@
     super.apiCacheControl,
     super.staticFilesCacheControl,
     super.cacheStaticFilesResponses,
+    super.maxPayloadLength,
+    super.decompressPayload,
     super.serverResponseDelay,
     super.logToConsole,
     super.logQueue,
@@ -1003,6 +1037,8 @@
       cacheStaticFilesResponses: cacheStaticFilesResponses,
       staticFilesCacheMaxMemorySize: staticFilesCacheMaxMemorySize,
       staticFilesCacheMaxContentLength: staticFilesCacheMaxContentLength,
+      maxPayloadLength: maxPayloadLength,
+      decompressPayload: decompressPayload,
       letsEncryptDirectory: letsEncryptDirectory,
       securePort: securePort,
       useSessionID: useSessionID,
@@ -1032,7 +1068,10 @@
 
   /// Converts a [request] to an [APIRequest].
   static FutureOr<APIRequest> toAPIRequest(Request request,
-      {required bool cookieless, required bool useSessionID}) {
+      {required bool cookieless,
+      required bool useSessionID,
+      int? maxPayloadLength,
+      bool? decompressPayload}) {
     var requestTime = DateTime.now();
 
     var method = parseAPIRequestMethod(request.method) ?? APIRequestMethod.GET;
@@ -1094,7 +1133,10 @@
 
     var parsingDuration = DateTime.now().difference(requestTime);
 
-    return _resolvePayload(request).resolveMapped((payloadResolved) {
+    return _resolvePayload(request,
+            maxPayloadLength: maxPayloadLength,
+            decompressPayload: decompressPayload)
+        .resolveMapped((payloadResolved) {
       var mimeType = payloadResolved?.$1;
       var payload = payloadResolved?.$2;
 
@@ -1158,9 +1200,18 @@
   static final MimeType _mimeTypeTextPlain =
       MimeType.parse(MimeType.textPlain)!;
 
-  static Future<(MimeType, Object)?> _resolvePayload(Request request) {
+  static FutureOr<(MimeType, Object)?> _resolvePayload(Request request,
+      {int? maxPayloadLength, bool? decompressPayload}) {
     var contentLength = request.contentLength;
 
+    if (maxPayloadLength != null &&
+        maxPayloadLength >= 0 &&
+        contentLength != null &&
+        contentLength > maxPayloadLength) {
+      throw StateError(
+          "Can't read payload. `Content-Length` ($contentLength) exceeds `maxPayloadLength` ($maxPayloadLength).");
+    }
+
     var contentMimeType = _resolveContentMimeType(request);
     if (contentLength == null && contentMimeType == null) {
       return Future.value(null);
@@ -1169,9 +1220,21 @@
     var mimeType = contentMimeType ?? _mimeTypeTextPlain;
 
     if (mimeType.isStringType) {
-      return _resolvePayloadFromString(mimeType, request);
+      if (contentLength == 0) {
+        return (mimeType, '');
+      }
+
+      return _resolvePayloadFromString(mimeType, request,
+          maxPayloadLength: maxPayloadLength,
+          decompressPayload: decompressPayload);
     } else {
-      return _resolvePayloadBytes(mimeType, request);
+      if (contentLength == 0) {
+        return (mimeType, Uint8List(0));
+      }
+
+      return _resolvePayloadBytes(mimeType, request,
+          maxPayloadLength: maxPayloadLength,
+          decompressPayload: decompressPayload);
     }
   }
 
@@ -1204,8 +1267,12 @@
   }
 
   static Future<(MimeType, Object)?> _resolvePayloadFromString(
-          MimeType mimeType, Request request) =>
-      _loadPayloadString(mimeType, request).then((s) {
+          MimeType mimeType, Request request,
+          {int? maxPayloadLength, bool? decompressPayload}) =>
+      _loadPayloadString(mimeType, request,
+              maxPayloadLength: maxPayloadLength,
+              decompressPayload: decompressPayload)
+          .then((s) {
         if (s == null) return null;
 
         Object payload = s;
@@ -1218,10 +1285,12 @@
         return (mimeType, payload);
       });
 
-  static Future<String?> _loadPayloadString(
-          MimeType mimeType, Request request) =>
+  static Future<String?> _loadPayloadString(MimeType mimeType, Request request,
+          {int? maxPayloadLength, bool? decompressPayload}) =>
       request.read().toList().then((bs) {
-        var allBytes = _loadPayloadBytes(bs);
+        var allBytes = _loadPayloadBytes(request, bs,
+            maxPayloadLength: maxPayloadLength,
+            decompressPayload: decompressPayload);
 
         var encoding = mimeType.charsetEncoding ?? utf8;
 
@@ -1233,13 +1302,21 @@
       });
 
   static Future<(MimeType, Uint8List)?> _resolvePayloadBytes(
-          MimeType mimeType, Request request) =>
+          MimeType mimeType, Request request,
+          {int? maxPayloadLength, bool? decompressPayload}) =>
       request.read().toList().then((bs) {
-        var allBytes = _loadPayloadBytes(bs);
+        var allBytes = _loadPayloadBytes(request, bs,
+            maxPayloadLength: maxPayloadLength,
+            decompressPayload: decompressPayload);
         return (mimeType, allBytes);
       });
 
-  static Uint8List _loadPayloadBytes(List<List<int>> payloadBlocks) {
+  static Uint8List _loadPayloadBytes(
+      Request request, List<List<int>> payloadBlocks,
+      {int? maxPayloadLength, bool? decompressPayload}) {
+    maxPayloadLength ??= -1;
+    decompressPayload ??= false;
+
     Uint8List bytes;
 
     if (payloadBlocks.length == 1) {
@@ -1251,9 +1328,19 @@
       }
 
       assert(bytes.length == bs0.length);
+
+      if (maxPayloadLength >= 0 && bytes.length > maxPayloadLength) {
+        throw StateError(
+            "Payload size (${bytes.length}) exceeds `maxPayloadLength` ($maxPayloadLength).");
+      }
     } else {
       var allBytesSz = payloadBlocks.map((e) => e.length).sum;
 
+      if (maxPayloadLength >= 0 && allBytesSz > maxPayloadLength) {
+        throw StateError(
+            "Payload size ($allBytesSz) exceeds `maxPayloadLength` ($maxPayloadLength).");
+      }
+
       bytes = Uint8List(allBytesSz);
       var bytesOffset = 0;
 
@@ -1268,9 +1355,59 @@
       assert(bytesOffset == allBytesSz);
     }
 
+    if (decompressPayload && bytes.isNotEmpty) {
+      var contentEncoding = request.headers[HttpHeaders.contentEncodingHeader];
+
+      switch (contentEncoding) {
+        case null:
+        case '':
+        case 'identity':
+          {
+            break;
+          }
+        case 'gzip':
+          {
+            bytes = _decodePayloadGzip(bytes, maxPayloadLength);
+          }
+        case 'deflate':
+          {
+            bytes = _decodePayloadZlib(bytes);
+          }
+        default:
+          throw UnsupportedError(
+              "Unknown `Content-Encoding`: $contentEncoding");
+      }
+
+      if (maxPayloadLength >= 0 && bytes.length > maxPayloadLength) {
+        throw StateError(
+            "Decompressed `$contentEncoding` payload size (${bytes.length}) exceeds `maxPayloadLength` ($maxPayloadLength).");
+      }
+    }
+
     return bytes;
   }
 
+  static Uint8List _decodePayloadGzip(Uint8List bytes, int maxPayloadLength) {
+    if (maxPayloadLength >= 0) {
+      final byteData = ByteData.sublistView(bytes);
+      var gzipUncompressedSize =
+          byteData.getUint32(bytes.length - 4, Endian.little);
+
+      if (gzipUncompressedSize < 0 || gzipUncompressedSize > maxPayloadLength) {
+        throw StateError(
+            "Can't decompress payload of size ${bytes.length}: GZip payload uncompressed size ($gzipUncompressedSize) exceeds `maxPayloadLength` ($maxPayloadLength).");
+      }
+    }
+
+    var decoded = gzip.decode(bytes);
+    return decoded is Uint8List ? decoded : Uint8List.fromList(decoded);
+  }
+
+  static Uint8List _decodePayloadZlib(Uint8List bytes) {
+    var decoded = zlib.decode(bytes);
+    return decoded is Uint8List ? decoded : Uint8List.fromList(decoded);
+  }
+
   static final RegExp _regExpSpace = RegExp(r'\s+');
 
   static APICredential? _resolveCredential(Request request) {
@@ -1700,6 +1837,8 @@
     super.cacheStaticFilesResponses,
     super.staticFilesCacheMaxMemorySize,
     super.staticFilesCacheMaxContentLength,
+    super.maxPayloadLength,
+    super.decompressPayload,
     super.serverResponseDelay,
     super.logToConsole,
     super.logQueue,
@@ -2144,10 +2283,15 @@
     APIRequest? apiRequest;
     try {
       return APIServer.toAPIRequest(request,
-              cookieless: cookieless, useSessionID: useSessionID)
-          .resolveMapped((apiReq) {
+              cookieless: cookieless,
+              useSessionID: useSessionID,
+              maxPayloadLength: maxPayloadLength,
+              decompressPayload: decompressPayload)
+          .then((apiReq) {
         apiRequest = apiReq;
         return _processAPIRequest(request, apiReq);
+      }, onError: (e, s) {
+        return _errorProcessing(request, apiRequest, e, s);
       });
     } catch (e, s) {
       return _errorProcessing(request, apiRequest, e, s);

pubspec.yaml

@@ -1,6 +1,6 @@
 name: bones_api
 description: Bones_API - A powerful API backend framework for Dart. It comes with a built-in HTTP Server, route handler, entity handler, SQL translator, and DB adapters.
-version: 1.9.3-beta.7
+version: 1.9.3-beta.8
 homepage: https://github.com/Colossus-Services/bones_api
 
 environment:
@@ -54,7 +54,7 @@ dependencies:
 dev_dependencies:
   lints: ^5.1.1
   build_runner: ^2.4.15
-  build_verify: ^3.1.0
+  build_verify: ^3.1.1
   test: ^1.26.2
   pubspec: ^2.3.0
   dependency_validator: ^4.1.3