Add response size limit

denyskon · denyskon · commit 57dc3d19ba34 · 2025-04-18T19:08:54.000+02:00
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -2417,6 +2417,8 @@ LEVEL = Info
 ;DEFAULT_GIT_TREES_PER_PAGE = 1000
 ;; Default max size of a blob returned by the blobs API (default is 10MiB)
 ;DEFAULT_MAX_BLOB_SIZE = 10485760
+;; Default max combined size of all blobs returned by the files API (default is 100MiB)
+;DEFAULT_MAX_RESPONSE_SIZE = 104857600
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
diff --git a/modules/setting/api.go b/modules/setting/api.go
@@ -18,13 +18,15 @@ var API = struct {
 	DefaultPagingNum       int
 	DefaultGitTreesPerPage int
 	DefaultMaxBlobSize     int64
+	DefaultMaxResponseSize int64
 }{
 	EnableSwagger:          true,
 	SwaggerURL:             "",
 	MaxResponseItems:       50,
 	DefaultPagingNum:       30,
 	DefaultGitTreesPerPage: 1000,
 	DefaultMaxBlobSize:     10485760,
+	DefaultMaxResponseSize: 104857600,
 }
 
 func loadAPIFrom(rootCfg ConfigProvider) {
diff --git a/modules/structs/settings.go b/modules/structs/settings.go
@@ -26,6 +26,7 @@ type GeneralAPISettings struct {
 	DefaultPagingNum       int   `json:"default_paging_num"`
 	DefaultGitTreesPerPage int   `json:"default_git_trees_per_page"`
 	DefaultMaxBlobSize     int64 `json:"default_max_blob_size"`
+	DefaultMaxResponseSize int64 `json:"default_max_response_size"`
 }
 
 // GeneralAttachmentSettings contains global Attachment settings exposed by API
diff --git a/routers/api/v1/repo/file.go b/routers/api/v1/repo/file.go
@@ -1026,6 +1026,8 @@ func GetFiles(ctx *context.APIContext) {
 	//     "$ref": "#/responses/ContentsListResponse"
 	//   "404":
 	//     "$ref": "#/responses/notFound"
+	//   "413":
+	//		 "$ref": "#/responses/contentTooLarge"
 
 	apiOpts := web.GetForm(ctx).(*api.GetFilesOptions)
 
@@ -1045,7 +1047,10 @@ func GetFiles(ctx *context.APIContext) {
 	listOpts := utils.GetListOptions(ctx)
 	files = util.PaginateSlice(files, listOpts.Page, listOpts.PageSize).([]string)
 
-	filesResponse := files_service.GetContentsListFromTrees(ctx, ctx.Repo.Repository, ref, files)
+	filesResponse, err := files_service.GetContentsListFromTrees(ctx, ctx.Repo.Repository, ref, files)
+	if err != nil {
+		ctx.APIError(http.StatusRequestEntityTooLarge, err.Error())
+	}
 
 	ctx.SetTotalCountHeader(int64(count))
 	ctx.JSON(http.StatusOK, filesResponse)
diff --git a/services/context/api.go b/services/context/api.go
@@ -91,6 +91,12 @@ type APIForbiddenError struct {
 // swagger:response notFound
 type APINotFound struct{}
 
+// APIContentTooLarge is a content too large error response
+// swagger:response contentTooLarge
+type APIContentTooLarge struct {
+	APIError
+}
+
 // APIConflict is a conflict empty response
 // swagger:response conflict
 type APIConflict struct{}
diff --git a/services/repository/files/file.go b/services/repository/files/file.go
@@ -13,21 +13,32 @@ import (
 
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/modules/git"
+	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/util"
 )
 
-func GetContentsListFromTrees(ctx context.Context, repo *repo_model.Repository, branch string, treeNames []string) []*api.ContentsResponse {
+func GetContentsListFromTrees(ctx context.Context, repo *repo_model.Repository, branch string, treeNames []string) ([]*api.ContentsResponse, error) {
 	files := []*api.ContentsResponse{}
+	var size int64 = 0
 	for _, file := range treeNames {
 		fileContents, _ := GetContents(ctx, repo, file, branch, false) // ok if fails, then will be nil
+		if *fileContents.Content != "" {
+			size += fileContents.Size // if content isn't empty (e. g. due to the single blob being too large), add file size to response size
+		}
+		if size > setting.API.DefaultMaxResponseSize {
+			return nil, fmt.Errorf("the combined size of the requested blobs exceeds the per-request limit set by the server administrator")
+		}
 		files = append(files, fileContents)
 	}
-	return files
+	return files, nil
 }
 
 func GetFilesResponseFromCommit(ctx context.Context, repo *repo_model.Repository, commit *git.Commit, branch string, treeNames []string) (*api.FilesResponse, error) {
-	files := GetContentsListFromTrees(ctx, repo, branch, treeNames)
+	files, err := GetContentsListFromTrees(ctx, repo, branch, treeNames)
+	if err != nil {
+		return nil, err
+	}
 	fileCommitResponse, _ := GetFileCommitResponse(repo, commit) // ok if fails, then will be nil
 	verification := GetPayloadCommitVerification(ctx, commit)
 	filesResponse := &api.FilesResponse{
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
diff --git a/tests/integration/api_settings_test.go b/tests/integration/api_settings_test.go
@@ -35,6 +35,7 @@ func TestAPIExposedSettings(t *testing.T) {
 		DefaultPagingNum:       setting.API.DefaultPagingNum,
 		DefaultGitTreesPerPage: setting.API.DefaultGitTreesPerPage,
 		DefaultMaxBlobSize:     setting.API.DefaultMaxBlobSize,
+		DefaultMaxResponseSize: setting.API.DefaultMaxResponseSize,
 	}, apiSettings)
 
 	repo := new(api.GeneralRepoSettings)

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ type GeneralAPISettings struct {`
`26`	`26`	DefaultPagingNum int `json:"default_paging_num"`
`27`	`27`	DefaultGitTreesPerPage int `json:"default_git_trees_per_page"`
`28`	`28`	DefaultMaxBlobSize int64 `json:"default_max_blob_size"`
	`29`	+ DefaultMaxResponseSize int64 `json:"default_max_response_size"`
`29`	`30`	`}`
`30`	`31`
`31`	`32`	`// GeneralAttachmentSettings contains global Attachment settings exposed by API`