Skip to content

fix(admin): limit swagger import response body size#6411

Merged
Aias00 merged 3 commits into
apache:masterfrom
SouthwestAsiaFloat:issue-6401
Jul 5, 2026
Merged

fix(admin): limit swagger import response body size#6411
Aias00 merged 3 commits into
apache:masterfrom
SouthwestAsiaFloat:issue-6401

Conversation

@SouthwestAsiaFloat

@SouthwestAsiaFloat SouthwestAsiaFloat commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

#6401

Description

This PR limits the Swagger/OpenAPI import response body size in shenyu-admin.

It adds a configurable shenyu.swagger.max-body-size setting with a default value of 10 MB, rejects oversized Swagger responses both by Content-Length and during streaming, and returns HTTP 400 for
invalid or oversized import requests.

Tests

Added tests in:

  • SwaggerImportControllerTest
  • SwaggerImportServiceImplTest

The tests cover oversized Swagger response rejection, HTTP 400 responses for invalid import requests, successful small-body imports, unknown Content-Length streaming limits, exact-limit bodies, empty
response bodies, and response charset handling.

Make sure that:

  • You have read the contribution guidelines.
  • You submit test cases (unit or integration tests) that back your changes.
  • Your local test passed ./mvnw clean install -Dmaven.javadoc.skip=true.

*/
@PostMapping("/import")
public ShenyuAdminResult importSwagger(@Valid @RequestBody final SwaggerImportRequest request) {
public ResponseEntity<ShenyuAdminResult> importSwagger(@Valid @RequestBody final SwaggerImportRequest request) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why change response type?

*/
@PostMapping("import/mcp")
public ShenyuAdminResult importMcpConfig(@Valid @RequestBody final SwaggerImportRequest request) {
public ResponseEntity<ShenyuAdminResult> importMcpConfig(@Valid @RequestBody final SwaggerImportRequest request) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why change response type?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed the response type because the PR description says that invalid or oversized import requests should return HTTP 400. The original return type (ShenyuAdminResult) only carries the business error code in the response body, and when returned directly, Spring MVC still responds with HTTP 200 by default. Using ResponseEntity allows the endpoint to return both an HTTP 400 status and the existing ShenyuAdminResult response body.

If the expected behavior is to keep the existing admin API convention (i.e. returning HTTP 200 with ShenyuAdminResult.code = 400 for business errors), I’m happy to change it back and update the implementation accordingly.

My apologies if I misunderstood the expected behavior.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pls change to ShenyuAdminResult

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@SouthwestAsiaFloat SouthwestAsiaFloat requested a review from Aias00 July 5, 2026 12:48

@Aias00 Aias00 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Aias00 Aias00 merged commit d409a04 into apache:master Jul 5, 2026
39 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants