Body parser limits and validation

[rodhoward]

Hi, just checking out Hono and trying to convert our existing Koa server. One of the things we had was a bodyParser which you could specify limits.

const limit = process.env.BODY_SIZE_LIMIT || "15mb";
app.use(bodyParser({ jsonLimit: limit, formLimit: limit }));

Is there something similar in Hono? I think the idea is to protect from denial of service attacks using massive payloads.
Cheers
Rod

[ghost]

I don't know of a critical function as such.

The code for koa and hono middleware is similar, so I suggest you try to make a copy of it.
https://github.com/koajs/bodyparser/blob/master/src/body-parser.ts

I hope this helps.

[EdamAme-x]

Probably Hono does not have this feature
You could try the method above.
However, this feature is very interesting and I will prototype it as a built-in feature.

[EdamAme-x]

#2077

[rodhoward]

Thanks 👍

[EdamAme-x]

hi @rodhoward
Any suggestions for a name for this feature?
It is considered important to limit the BODY size for this feat.

[rodhoward]

Hi,
In Hono to get request json we have this syntax:

app.post('/entry', async (c) => {
  const body = await c.req.json()
  ...
})

This is great except what happens if someone sends a massive json file witch takes too long to parse. This could form part of a DOS attack to send a very big json request. In Koa the body parser which handles parsing the body allows us to set limits on the size of requests that will be processed. So if the request is too big it will be rejected before we parse it keeping the server stable and responsive.
I would be copying the names from other servers. { bodyParser: { jsonLimit: "1mb" } }

[EdamAme-x]

Thanks.

I am thinking of narrowing this down to the ability to limit the size of the BODY.

[ghost]

hi @rodhoward
Sorry if you have already seen the issue(#2077), but I wrote this for the benefit of others who see this discussion.

Now, this approach is not DDoS-proof.
Because when the request size is retrieved, the memory for that request is used, and there is no way around that.
Therefore, it is not possible to "protect memory by blocking large requests".
I think this is the same with Koa.

So we think measures should be taken at lower layers.
Such as:

• If bun, maxRequestBodySize may be used
  • https://github.com/oven-sh/bun/blob/345ed1845421598a0839bb00ddf63440b64d8253/packages/bun-types/bun.d.ts#L2052-L2056
• Using nginx with set client_max_body_size.

For more information, please refer to the excellent information by @usualoma .

bodyLimit (changed from bodyParser) to Hono has not been decided yet, but I hope it will be good news for you.

[rodhoward]

Thanks so much! I'm glad people have taken interest in my question and thanks for all the information.

Cheers
Rod

[ghost]

New PR is created: #2103

[zomchak-code]

@goisaki
Will this also allow to increate a body limit from the default one?
I'm getting 413 response for 142,6mb body

Hono: 3.12.6
@hono/node-server: 1.4.1

[Tommy1223454]

Size limits are a really important first step here, especially for DoS-style abuse.

I’d just treat them as one layer, not the whole file-upload defense story. In practice I like combining:

• body size limits
• strict parsing boundaries
• file inspection before storage/downstream use

I built an OSS Node.js package around that inspection step:
https://github.com/pompelmi/pompelmi

It doesn’t replace parser/body limits, but it complements them well once the request has been accepted.