fix(minidump): Re-add multipart size limit (#4836)

tobias-wilfert · web-flow · commit 89a8b77bfaf5 · 2025-06-20T10:55:11.000+02:00
Re-add the limit that was removed in #4807.
diff --git a/relay-server/src/endpoints/minidump.rs b/relay-server/src/endpoints/minidump.rs
@@ -395,7 +395,10 @@ mod tests {
 
         let config = Config::default();
 
-        let multipart = ConstrainedMultipart(utils::multipart_from_request(request)?);
+        let multipart = ConstrainedMultipart(utils::multipart_from_request(
+            request,
+            multer::Constraints::new(),
+        )?);
         let items = multipart.items(infer_attachment_type, &config).await?;
 
         // we expect the multipart body to contain
diff --git a/relay-server/src/extractors/remote.rs b/relay-server/src/extractors/remote.rs
@@ -51,7 +51,7 @@ impl FromRequest<ServiceState> for Remote<Multipart<'static>> {
         request: Request,
         _state: &ServiceState,
     ) -> Result<Self, Self::Rejection> {
-        utils::multipart_from_request(request)
+        utils::multipart_from_request(request, multer::Constraints::new())
             .map(Remote)
             .map_err(Remote)
     }
diff --git a/relay-server/src/utils/multipart.rs b/relay-server/src/utils/multipart.rs
@@ -297,11 +297,14 @@ pub struct ConstrainedMultipart(pub Multipart<'static>);
 impl FromRequest<ServiceState> for ConstrainedMultipart {
     type Rejection = Remote<multer::Error>;
 
-    async fn from_request(
-        request: Request,
-        _state: &ServiceState,
-    ) -> Result<Self, Self::Rejection> {
-        multipart_from_request(request).map(Self).map_err(Remote)
+    async fn from_request(request: Request, state: &ServiceState) -> Result<Self, Self::Rejection> {
+        // Still want to enforce multer limits here so that we avoid parsing large fields.
+        let limits =
+            multer::SizeLimit::new().whole_stream(state.config().max_attachments_size() as u64);
+
+        multipart_from_request(request, multer::Constraints::new().size_limit(limits))
+            .map(Self)
+            .map_err(Remote)
     }
 }
 
@@ -327,7 +330,9 @@ impl FromRequest<ServiceState> for UnconstrainedMultipart {
         request: Request,
         _state: &ServiceState,
     ) -> Result<Self, Self::Rejection> {
-        multipart_from_request(request).map(Self).map_err(Remote)
+        multipart_from_request(request, multer::Constraints::new())
+            .map(Self)
+            .map_err(Remote)
     }
 }
 
@@ -341,17 +346,21 @@ impl UnconstrainedMultipart {
     }
 }
 
-pub fn multipart_from_request(request: Request) -> Result<Multipart<'static>, multer::Error> {
+pub fn multipart_from_request(
+    request: Request,
+    constraints: multer::Constraints,
+) -> Result<Multipart<'static>, multer::Error> {
     let content_type = request
         .headers()
         .get("content-type")
         .and_then(|v| v.to_str().ok())
         .unwrap_or("");
     let boundary = multer::parse_boundary(content_type)?;
 
-    Ok(Multipart::new(
+    Ok(Multipart::with_constraints(
         request.into_body().into_data_stream(),
         boundary,
+        constraints,
     ))
 }
 

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ impl FromRequest<ServiceState> for Remote<Multipart<'static>> {`
`51`	`51`	`request: Request,`
`52`	`52`	`_state: &ServiceState,`
`53`	`53`	`) -> Result<Self, Self::Rejection> {`
`54`		`- utils::multipart_from_request(request)`
	`54`	`+ utils::multipart_from_request(request, multer::Constraints::new())`
`55`	`55`	`.map(Remote)`
`56`	`56`	`.map_err(Remote)`
`57`	`57`	`}`