Copilot commented on code in PR #3301:
URL: https://github.com/apache/cxf/pull/3301#discussion_r3555246363


##########
core/src/main/java/org/apache/cxf/helpers/IOUtils.java:
##########
@@ -228,6 +232,10 @@ public static int copy(final InputStream input, final 
OutputStream output,
             output.write(buffer, 0, n);
             total += n;
             n = input.read(buffer);
+
+            if (maxSize > 0 /* -1 sets to unlimited */ && total > maxSize) {

Review Comment:
   The maxSize enforcement happens after writing the chunk to the output and 
after an additional read, which allows writing/accumulating more than maxSize 
bytes before throwing. For ByteArrayOutputStream callers (e.g., 
readBytesFromStream), this can allocate well beyond the intended limit in the 
first read when the buffer is larger than maxSize.



##########
core/src/main/java/org/apache/cxf/io/CachedOutputStream.java:
##########
@@ -334,9 +335,14 @@ public byte[] getBytes() throws IOException {
             }
             throw new IOException("Unknown format of currentStream");
         }
+
+        if (maxSize > Integer.MAX_VALUE) {
+            throw new IOException("The total limit of " + Integer.MAX_VALUE + 
" bytes exceeded, data is too large");
+        }

Review Comment:
   getBytes() currently throws whenever the configured maxSize is > 
Integer.MAX_VALUE, even if the actual cached content (totalLength) is small 
enough to fit in a byte[]. This can break callers that intentionally configure 
a large maxSize but only cache small payloads.



##########
rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/BinaryDataProvider.java:
##########
@@ -105,7 +110,7 @@ public T readFrom(Class<T> clazz, Type genericType, 
Annotation[] annotations, Me
                 return clazz.cast(new InputStreamReader(is, 
getEncoding(type)));
             }
             if (byte[].class.isAssignableFrom(clazz)) {
-                return clazz.cast(IOUtils.readBytesFromStream(is));
+                return clazz.cast(IOUtils.readBytesFromStream(is, maxSize));
             }
             if (File.class.isAssignableFrom(clazz)) {

Review Comment:
   The new maxSize is enforced only for byte[] reads; when the provider is used 
with File.class it still copies the full request entity to disk with no size 
limit. That means the payload size is not actually constrained in all 
BinaryDataProvider read paths.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to