fix(admin): limit swagger import response body size#6411
Conversation
| */ | ||
| @PostMapping("/import") | ||
| public ShenyuAdminResult importSwagger(@Valid @RequestBody final SwaggerImportRequest request) { | ||
| public ResponseEntity<ShenyuAdminResult> importSwagger(@Valid @RequestBody final SwaggerImportRequest request) { |
| */ | ||
| @PostMapping("import/mcp") | ||
| public ShenyuAdminResult importMcpConfig(@Valid @RequestBody final SwaggerImportRequest request) { | ||
| public ResponseEntity<ShenyuAdminResult> importMcpConfig(@Valid @RequestBody final SwaggerImportRequest request) { |
There was a problem hiding this comment.
I changed the response type because the PR description says that invalid or oversized import requests should return HTTP 400. The original return type (ShenyuAdminResult) only carries the business error code in the response body, and when returned directly, Spring MVC still responds with HTTP 200 by default. Using ResponseEntity allows the endpoint to return both an HTTP 400 status and the existing ShenyuAdminResult response body.
If the expected behavior is to keep the existing admin API convention (i.e. returning HTTP 200 with ShenyuAdminResult.code = 400 for business errors), I’m happy to change it back and update the implementation accordingly.
My apologies if I misunderstood the expected behavior.
There was a problem hiding this comment.
pls change to ShenyuAdminResult
#6401
Description
This PR limits the Swagger/OpenAPI import response body size in shenyu-admin.
It adds a configurable
shenyu.swagger.max-body-sizesetting with a default value of 10 MB, rejects oversized Swagger responses both byContent-Lengthand during streaming, and returns HTTP 400 forinvalid or oversized import requests.
Tests
Added tests in:
SwaggerImportControllerTestSwaggerImportServiceImplTestThe tests cover oversized Swagger response rejection, HTTP 400 responses for invalid import requests, successful small-body imports, unknown
Content-Lengthstreaming limits, exact-limit bodies, emptyresponse bodies, and response charset handling.
Make sure that:
./mvnw clean install -Dmaven.javadoc.skip=true.