Skip to content

feat: add max_post_args_readable_size to bound post_arg.* body reads#13601

Merged
shreemaan-abhishek merged 2 commits into
apache:masterfrom
shreemaan-abhishek:fix/post-arg-body-size-limit
Jun 29, 2026
Merged

feat: add max_post_args_readable_size to bound post_arg.* body reads#13601
shreemaan-abhishek merged 2 commits into
apache:masterfrom
shreemaan-abhishek:fix/post-arg-body-size-limit

Conversation

@shreemaan-abhishek

Copy link
Copy Markdown
Contributor

Description

Route matching supports post_arg.* predicates. For application/json and multipart/form-data requests, resolving these predicates in apisix/core/ctx.lua calls request.get_request_body_table() with no size limit, so the full request body (including temp-file-backed bodies) is parsed into worker memory during the access-phase matching.

This PR adds a configurable bound:

  • New config apisix.max_post_args_readable_size (in MB, default 64, 0 disables the limit).
  • post_arg.* matching now passes this cap to the body reader. Bodies larger than the cap are not read; the predicate resolves to nil and the route simply does not match.
  • The cap covers the JSON and multipart paths (x-www-form-urlencoded already goes through nginx's bounded get_post_args).

Added schema validation, updated config.yaml.example, the router-radixtree docs, and tests in t/core/ctx3.t (oversized body is not read and the route does not match; within-cap body still matches).

Which issue(s) this PR fixes:

Fixes #

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

Matching post_arg.* route predicates parses the full request body for
JSON and multipart requests. Add a configurable cap (apisix.max_post_args_readable_size,
default 64 MB, 0 to disable) so large bodies are not read into worker
memory during route matching.
@dosubot dosubot Bot added size:L This PR changes 100-499 lines, ignoring generated files. enhancement New feature or request labels Jun 23, 2026
membphis
membphis previously approved these changes Jun 24, 2026
nic-6443
nic-6443 previously approved these changes Jun 26, 2026
@shreemaan-abhishek shreemaan-abhishek dismissed stale reviews from nic-6443 and membphis via 1696c7a June 26, 2026 06:19
@shreemaan-abhishek shreemaan-abhishek merged commit e9ff2d2 into apache:master Jun 29, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants