From 210a61112bca52bd5b6b093cfe3b1218a0c1f64a Mon Sep 17 00:00:00 2001
From: Shane Kilkelly <shane@kilkelly.me>
Date: Fri, 29 Apr 2016 15:08:21 +0100
Subject: [PATCH] reject payloads larger than 2MB for setDoc

---
 .../app/coffee/HttpController.coffee                 | 12 ++++++++----
 .../unit/coffee/HttpController/setDocTests.coffee    | 11 ++++++++++-
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/services/document-updater/app/coffee/HttpController.coffee b/services/document-updater/app/coffee/HttpController.coffee
index ef9fb38e19..65c7ca20d3 100644
--- a/services/document-updater/app/coffee/HttpController.coffee
+++ b/services/document-updater/app/coffee/HttpController.coffee
@@ -4,6 +4,8 @@ Errors = require "./Errors"
 logger = require "logger-sharelatex"
 Metrics = require "./Metrics"
 
+TWO_MEGABYTES = 2 * 1024 * 1024
+
 module.exports = HttpController =
 	getDoc: (req, res, next = (error) ->) ->
 		doc_id = req.params.doc_id
@@ -34,6 +36,9 @@ module.exports = HttpController =
 		lines = req.body.lines
 		source = req.body.source
 		user_id = req.body.user_id
+		if req.headers['content-length'] > TWO_MEGABYTES
+			logger.log {project_id, doc_id, source, user_id}, "document too large, returning 406 response"
+			return res.send 406
 		logger.log project_id: project_id, doc_id: doc_id, lines: lines, source: source, user_id: user_id, "setting doc via http"
 		timer = new Metrics.Timer("http.setDoc")
 		DocumentManager.setDocWithLock project_id, doc_id, lines, source, user_id, (error) ->
@@ -41,7 +46,7 @@ module.exports = HttpController =
 			return next(error) if error?
 			logger.log project_id: project_id, doc_id: doc_id, "set doc via http"
 			res.send 204 # No Content
-		
+
 
 	flushDocIfLoaded: (req, res, next = (error) ->) ->
 		doc_id = req.params.doc_id
@@ -53,7 +58,7 @@ module.exports = HttpController =
 			return next(error) if error?
 			logger.log project_id: project_id, doc_id: doc_id, "flushed doc via http"
 			res.send 204 # No Content
-		
+
 	flushAndDeleteDoc: (req, res, next = (error) ->) ->
 		doc_id = req.params.doc_id
 		project_id = req.params.project_id
@@ -74,7 +79,7 @@ module.exports = HttpController =
 			return next(error) if error?
 			logger.log project_id: project_id, "flushed project via http"
 			res.send 204 # No Content
-		
+
 	deleteProject: (req, res, next = (error) ->) ->
 		project_id = req.params.project_id
 		logger.log project_id: project_id, "deleting project via http"
@@ -84,4 +89,3 @@ module.exports = HttpController =
 			return next(error) if error?
 			logger.log project_id: project_id, "deleted project via http"
 			res.send 204 # No Content
-			
diff --git a/services/document-updater/test/unit/coffee/HttpController/setDocTests.coffee b/services/document-updater/test/unit/coffee/HttpController/setDocTests.coffee
index b60549c137..e8c05ccd03 100644
--- a/services/document-updater/test/unit/coffee/HttpController/setDocTests.coffee
+++ b/services/document-updater/test/unit/coffee/HttpController/setDocTests.coffee
@@ -24,6 +24,7 @@ describe "HttpController.setDoc", ->
 		@res =
 			send: sinon.stub()
 		@req =
+			headers: {}
 			params:
 				project_id: @project_id
 				doc_id: @doc_id
@@ -65,7 +66,15 @@ describe "HttpController.setDoc", ->
 			@next
 				.calledWith(new Error("oops"))
 				.should.equal true
-		
 
+	describe "when the payload is too large", ->
+		beforeEach ->
+			@req.headers['content-length'] = 40 * 1024 * 1024
+			@DocumentManager.setDocWithLock = sinon.stub().callsArgWith(5)
+			@HttpController.setDoc(@req, @res, @next)
 
+		it 'should send back a 406 response', ->
+			@res.send.calledWith(406).should.equal true
 
+		it 'should not call setDocWithLock', ->
+			@DocumentManager.setDocWithLock.callCount.should.equal 0