feat: Make request header and body size configurable

[marcozabel]

This PR

• adds this new feature

Related Issues

Fixes #1234523

Notes

Follow-up Tasks

How to test

[netlify]

✅ Deploy Preview for polite-licorice-3db33c ready!

Name	Link
🔨 Latest commit	74c74dc
🔍 Latest deploy log	https://app.netlify.com/projects/polite-licorice-3db33c/deploys/69a85fa0c09bf200089b1772
😎 Deploy Preview	https://deploy-preview-1892--polite-licorice-3db33c.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the flagd service by introducing configurable limits for incoming HTTP request body and header sizes. This feature allows administrators to prevent denial-of-service attacks or resource exhaustion by rejecting excessively large requests, thereby improving the service's robustness and security.

Highlights

• Configuration Fields Added: Introduced MaxRequestHeaderBytes and MaxRequestBodyBytes fields to the service.Configuration struct, enabling global control over request sizes.
• New CLI Flags: Added new command-line flags (--max-request-body and --max-request-header) to flagd for configuring these size limits at startup.
• Service Integration: Integrated the new request size limits into both the Connect and OFREP services, utilizing http.MaxBytesHandler for body limits and http.Server.MaxHeaderBytes for header limits.
• Error Handling for OFREP: Implemented specific error handling in the OFREP service to return HTTP 413 StatusRequestEntityTooLarge when body size limits are exceeded.
• Comprehensive Unit Tests: Included comprehensive unit tests for both Connect and OFREP services to verify the correct enforcement of request body and header size limits.

Changelog

• core/pkg/service/iservice.go
  • Added MaxRequestHeaderBytes and MaxRequestBodyBytes fields to the Configuration struct.
• flagd/cmd/start.go
  • Defined and bound new CLI flags (max-request-body, max-request-header) for configuring request size limits, and retrieved their values for runtime configuration.
• flagd/pkg/runtime/from_config.go
  • Updated the Config struct to include MaxRequestBodyBytes and MaxRequestHeaderBytes, and passed these values to the OFREP and Connect service configurations.
• flagd/pkg/service/flag-evaluation/connect_service.go
  • Implemented http.MaxBytesHandler for request body limits and set http.Server.MaxHeaderBytes based on the new configuration.
• flagd/pkg/service/flag-evaluation/connect_service_test.go
  • Added new test cases to verify the ConnectService correctly enforces request body and header size limits.
• flagd/pkg/service/flag-evaluation/ofrep/handler.go
  • Modified extractOfrepRequest to propagate http.MaxBytesError and updated HandleFlagEvaluation and HandleBulkEvaluation to return HTTP 413 for oversized request bodies.
• flagd/pkg/service/flag-evaluation/ofrep/ofrep_service.go
  • Updated SvcConfiguration to include request size limits and applied http.MaxBytesHandler and http.Server.MaxHeaderBytes to the OFREP HTTP server.
• flagd/pkg/service/flag-evaluation/ofrep/ofrep_service_test.go
  • Introduced new test cases to confirm the OfrepService correctly handles requests exceeding configured body and header size limits.

Activity

• No specific activity (comments, reviews, progress updates) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces configurability for request header and body sizes, which is a valuable feature for security and resource management. The implementation is solid, adding new flags, propagating the configuration, and applying the limits at the HTTP server level for both connect and OFREP services. The new tests effectively validate the behavior for oversized requests. I have one suggestion to refactor some duplicated error handling logic in the OFREP handler to improve maintainability.

[gemini-code-assist]

This error handling block is nearly identical to the one in HandleBulkEvaluation on lines 121-129. To improve maintainability and adhere to the Don't Repeat Yourself (DRY) principle, this duplicated logic should be extracted into a shared helper function.

A helper function could handle checking for *http.MaxBytesError and other extraction errors, reducing code duplication and making the handlers cleaner.

For example:

// handleExtractionError checks for errors from extractOfrepRequest and writes an appropriate response.
// It returns true if an error was handled.
func (h *handler) handleExtractionError(w http.ResponseWriter, err error, errorPayload any) bool {
	if err == nil {
		return false
	}
	var maxBytesErr *http.MaxBytesError
	if errors.As(err, &maxBytesErr) {
		w.WriteHeader(http.StatusRequestEntityTooLarge)
		return true
	}
	h.writeJSONToResponse(http.StatusBadRequest, errorPayload, w)
	return true
}

Using this helper would simplify both HandleFlagEvaluation and HandleBulkEvaluation.

[sonarqubecloud]

Quality Gate failed

Failed conditions
18.3% Duplication on New Code (required ≤ 3%)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE