cluade code review changes
This commit is contained in:
@@ -13,6 +13,9 @@ import (
|
||||
"code.patial.tech/go/appcore/ptr"
|
||||
)
|
||||
|
||||
// MaxPageSize is the maximum allowed page size to prevent resource exhaustion.
|
||||
var MaxPageSize = 1000
|
||||
|
||||
type Pager struct {
|
||||
OrderBy *string `json:"orderBy"`
|
||||
OrderAsc *bool `json:"orderAsc"`
|
||||
@@ -39,7 +42,9 @@ func (i *Pager) Offset() int {
|
||||
return 0
|
||||
}
|
||||
|
||||
return (i.Page - 1) * i.Limit()
|
||||
page := max(i.Page, 1)
|
||||
|
||||
return (page - 1) * i.Limit()
|
||||
}
|
||||
|
||||
func (i *Pager) Limit() int {
|
||||
@@ -63,14 +68,17 @@ func GetPager(r *http.Request) Pager {
|
||||
}
|
||||
|
||||
if v := r.URL.Query().Get("pg"); v != "" {
|
||||
if vv, err := strconv.Atoi(v); err == nil {
|
||||
p.Page = int(vv)
|
||||
if vv, err := strconv.Atoi(v); err == nil && vv > 0 {
|
||||
p.Page = vv
|
||||
}
|
||||
}
|
||||
|
||||
if v := r.URL.Query().Get("pg_s"); v != "" {
|
||||
if vv, err := strconv.Atoi(v); err == nil {
|
||||
p.Size = int(vv)
|
||||
if vv, err := strconv.Atoi(v); err == nil && vv > 0 {
|
||||
if vv > MaxPageSize {
|
||||
vv = MaxPageSize
|
||||
}
|
||||
p.Size = vv
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -15,10 +15,10 @@ import (
|
||||
"code.patial.tech/go/appcore/validate"
|
||||
)
|
||||
|
||||
// MaxRequestBodySize is the maximum allowed size for request bodies (1MB default).
|
||||
// MaxRequestBodySize is the maximum allowed size for request bodies (5MB default).
|
||||
// This prevents resource exhaustion attacks from large payloads.
|
||||
// Override this value if you need to accept larger requests.
|
||||
var MaxRequestBodySize int64 = 1 << 20 // 1MB
|
||||
var MaxRequestBodySize int64 = 5 << 20 // 5MB
|
||||
|
||||
func FormField(r *http.Request, key string) (string, error) {
|
||||
f, err := Payload[map[string]any](r)
|
||||
@@ -49,22 +49,24 @@ func PayloadWithValidate[T any](r *http.Request) (T, error) {
|
||||
func Payload[T any](r *http.Request) (T, error) {
|
||||
var p T
|
||||
|
||||
if r.ContentLength > MaxRequestBodySize {
|
||||
return p, errors.New("request body too large")
|
||||
}
|
||||
|
||||
// Limit request body size to prevent resource exhaustion
|
||||
limited := io.LimitReader(r.Body, MaxRequestBodySize)
|
||||
limited := io.LimitReader(r.Body, MaxRequestBodySize+1)
|
||||
|
||||
decoder := json.NewDecoder(limited)
|
||||
if err := decoder.Decode(&p); err != nil {
|
||||
// Check if we hit the size limit
|
||||
if err == io.EOF || err == io.ErrUnexpectedEOF {
|
||||
// Try to read one more byte to see if there's more data
|
||||
var buf [1]byte
|
||||
if n, _ := limited.Read(buf[:]); n == 0 {
|
||||
// We hit the limit
|
||||
return p, errors.New("request body too large")
|
||||
}
|
||||
}
|
||||
return p, err
|
||||
}
|
||||
|
||||
// Check if there's more data beyond the limit
|
||||
var buf [1]byte
|
||||
if n, _ := limited.Read(buf[:]); n > 0 {
|
||||
return p, errors.New("request body too large")
|
||||
}
|
||||
|
||||
return p, nil
|
||||
}
|
||||
|
||||
@@ -72,21 +74,23 @@ func Payload[T any](r *http.Request) (T, error) {
|
||||
// This is useful when you want to decode into an existing variable.
|
||||
// The request body size is limited by MaxRequestBodySize to prevent DoS attacks.
|
||||
func DecodeJSON(r *http.Request, v any) error {
|
||||
if r.ContentLength > MaxRequestBodySize {
|
||||
return errors.New("request body too large")
|
||||
}
|
||||
|
||||
// Limit request body size to prevent resource exhaustion
|
||||
limited := io.LimitReader(r.Body, MaxRequestBodySize)
|
||||
limited := io.LimitReader(r.Body, MaxRequestBodySize+1)
|
||||
|
||||
decoder := json.NewDecoder(limited)
|
||||
if err := decoder.Decode(v); err != nil {
|
||||
// Check if we hit the size limit
|
||||
if err == io.EOF || err == io.ErrUnexpectedEOF {
|
||||
// Try to read one more byte to see if there's more data
|
||||
var buf [1]byte
|
||||
if n, _ := limited.Read(buf[:]); n == 0 {
|
||||
// We hit the limit
|
||||
return errors.New("request body too large")
|
||||
}
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
// Check if there's more data beyond the limit
|
||||
var buf [1]byte
|
||||
if n, _ := limited.Read(buf[:]); n > 0 {
|
||||
return errors.New("request body too large")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -35,10 +35,21 @@ func NumberParam[T Number](r *http.Request, key string) (T, error) {
|
||||
return T(n), nil
|
||||
}
|
||||
|
||||
// int param
|
||||
// unsigned int param
|
||||
if k >= reflect.Uint && k <= reflect.Uint64 {
|
||||
n, err := strconv.ParseUint(p, 10, 64)
|
||||
if err != nil {
|
||||
return noop, fmt.Errorf("query param: %q is not a valid unsigned integer", key)
|
||||
}
|
||||
|
||||
return T(n), nil
|
||||
}
|
||||
|
||||
// signed int param
|
||||
n, err := strconv.ParseInt(p, 10, 64)
|
||||
if err != nil {
|
||||
return noop, fmt.Errorf("query param: %q is not a valid integer", key)
|
||||
}
|
||||
|
||||
return T(n), nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user