Skip to content

[Task] Add response body size limit in SwaggerImportServiceImpl.fetchSwaggerDoc() #6401

Description

@Aias00

Description

SwaggerImportServiceImpl.fetchSwaggerDoc() uses response.body().string() to read the full HTTP response into memory without any size constraint. On the MCP import path, the response is subsequently parsed three times (Gson + OpenAPIV3Parser + JsonParser), multiplying memory usage. An authenticated Admin user can supply a URL pointing to a large file, causing JVM heap exhaustion and crashing the Admin process.
Affected File:

shenyu-admin/src/main/java/org/apache/shenyu/admin/service/impl/SwaggerImportServiceImpl.java
Proposed Change:

Replace the unbounded response.body().string() call with a size-limited counted read:
javaprivate static final long MAX_SWAGGER_BODY_BYTES = 10L * 1024 * 1024; // 10 MB

private String fetchSwaggerDoc(final String swaggerUrl) throws IOException {
// Check Content-Length header first, then count bytes during streaming read
// Throw IllegalArgumentException if limit exceeded
}
Acceptance Criteria:

Requests to /swagger/import or /swagger/import/mcp with a URL pointing to a file larger than the configured limit return a 400 Bad Request response.
The size limit is configurable via application.yml.
Legitimate Swagger/OpenAPI documents within the size limit are imported without issue.

Task List

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions