Skip to content

feat: add max_post_args_readable_size to bound post_arg.* body reads#13601

Open
shreemaan-abhishek wants to merge 2 commits into
apache:masterfrom
shreemaan-abhishek:fix/post-arg-body-size-limit
Open

feat: add max_post_args_readable_size to bound post_arg.* body reads#13601
shreemaan-abhishek wants to merge 2 commits into
apache:masterfrom
shreemaan-abhishek:fix/post-arg-body-size-limit

Conversation

@shreemaan-abhishek

@shreemaan-abhishek shreemaan-abhishek commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Description

Route matching supports post_arg.* predicates. For application/json and multipart/form-data requests, resolving these predicates in apisix/core/ctx.lua calls request.get_request_body_table() with no size limit, so the full request body (including temp-file-backed bodies) is parsed into worker memory during the access-phase matching.

This PR adds a configurable bound:

  • New config apisix.max_post_args_readable_size (in MB, default 64, 0 disables the limit).
  • post_arg.* matching now passes this cap to the body reader. Bodies larger than the cap are not read; the predicate resolves to nil and the route simply does not match.
  • The cap covers the JSON and multipart paths (x-www-form-urlencoded already goes through nginx's bounded get_post_args).

Added schema validation, updated config.yaml.example, the router-radixtree docs, and tests in t/core/ctx3.t (oversized body is not read and the route does not match; within-cap body still matches).

Which issue(s) this PR fixes:

Fixes #

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@shreemaan-abhishek
feat: add max_post_args_readable_size to bound post_arg.* body reads
69d99f8 
Matching post_arg.* route predicates parses the full request body for
JSON and multipart requests. Add a configurable cap (apisix.max_post_args_readable_size,
default 64 MB, 0 to disable) so large bodies are not read into worker
memory during route matching.
@dosubot dosubot Bot added size:L This PR changes 100-499 lines, ignoring generated files. enhancement New feature or request labels Jun 23, 2026
membphis
membphis previously approved these changes Jun 24, 2026
View reviewed changes
nic-6443
nic-6443 previously approved these changes Jun 26, 2026
View reviewed changes
@shreemaan-abhishek shreemaan-abhishek dismissed stale reviews from nic-6443 and membphis via 1696c7a June 26, 2026 06:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@membphis membphis membphis approved these changes
@AlinsRan AlinsRan AlinsRan approved these changes
@nic-6443 nic-6443 nic-6443 left review comments

At least 3 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

enhancement New feature or request size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@shreemaan-abhishek @membphis @nic-6443 @AlinsRan