shreemaan-abhishek opened a new pull request, #13478: URL: https://github.com/apache/apisix/pull/13478
### Description The `hmac-auth` plugin reads the entire client request body into memory to verify the digest when `validate_request_body` is `true`. Today that read (`core.request.get_body()`) has no upper bound, so a client can force a worker to buffer an arbitrarily large body. The only existing backstop is the global nginx `client_max_body_size`, which operators routinely raise or disable for upload routes. This adds a `max_req_body_size` option (integer, default `67108864` = 64 MiB, minimum `1`) to `hmac-auth`, so that when body validation is enabled, oversized requests are rejected with `413` before the body is buffered: - `hmac-auth`: caps the body read for digest validation (passed to `core.request.get_body()`); enforced only on the `validate_request_body = true` path. This complements the body-size hardening series started in #13466, which added `max_req_body_size` to `forward-auth`, `ai-proxy`, and `ai-proxy-multi`. That PR deliberately excluded `hmac-auth`; this PR closes that gap with the same default, the same `413` rejection behavior, and the same schema/docs conventions. Docs and e2e tests are included. ### ⚠️ Default behavior change `hmac-auth` now defaults `max_req_body_size` to **64 MiB**. The change is observable only when **all** of the following hold: 1. the route uses `hmac-auth` with `validate_request_body = true`; **and** 2. the operator has raised nginx `client_max_body_size` above 64 MiB (or set it to `0`); **and** 3. a client sends a request body larger than 64 MiB. In that case the request is now rejected with `413` instead of being buffered in full. Under the default `client_max_body_size` (1 MiB) there is **no** change. The limit is configurable via `max_req_body_size` to restore prior behavior. #### Which issue(s) this PR fixes: Fixes # ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [x] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (see the documented default behavior change above; configurable via `max_req_body_size`) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
