feat(http): add SizeLimitHandler to enforce request body size limit

common/src/main/java/org/tron/common/parameter/CommonParameter.java

@@ -216,6 +216,12 @@ public class CommonParameter {
   public int maxMessageSize;
   @Getter
   @Setter
+  public long httpMaxMessageSize;
+  @Getter
+  @Setter
+  public long jsonRpcMaxMessageSize;
+  @Getter
+  @Setter
   public int maxHeaderListSize;
   @Getter
   @Setter

framework/src/main/java/org/tron/common/application/HttpService.java

@@ -15,10 +15,12 @@
 
 package org.tron.common.application;
 
+import com.google.common.annotations.VisibleForTesting;
 import java.util.concurrent.CompletableFuture;
 import lombok.extern.slf4j.Slf4j;
 import org.eclipse.jetty.server.ConnectionLimit;
 import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.handler.SizeLimitHandler;
 import org.eclipse.jetty.servlet.ServletContextHandler;
 import org.tron.core.config.args.Args;
 
@@ -29,6 +31,18 @@ public abstract class HttpService extends AbstractService {
 
   protected String contextPath;
 
+  protected long maxRequestSize = 4 * 1024 * 1024; // 4MB
+
+  @VisibleForTesting
+  public long getMaxRequestSize() {
+    return this.maxRequestSize;
+  }
+
+  @VisibleForTesting
+  public void setMaxRequestSize(long maxRequestSize) {
+    this.maxRequestSize = maxRequestSize;
+  }
+
   @Override
   public void innerStart() throws Exception {
     if (this.apiServer != null) {
@@ -63,7 +77,9 @@ protected void initServer() {
   protected ServletContextHandler initContextHandler() {
     ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS);
     context.setContextPath(this.contextPath);
-    this.apiServer.setHandler(context);
+    SizeLimitHandler sizeLimitHandler = new SizeLimitHandler(this.maxRequestSize, -1);
+    sizeLimitHandler.setHandler(context);
+    this.apiServer.setHandler(sizeLimitHandler);
     return context;
   }
 

framework/src/main/java/org/tron/core/config/args/Args.java

@@ -471,8 +471,30 @@ public static void applyConfigParams(
             ? config.getLong(ConfigKey.NODE_RPC_MAX_CONNECTION_AGE_IN_MILLIS)
             : Long.MAX_VALUE;
 
-    PARAMETER.maxMessageSize = config.hasPath(ConfigKey.NODE_RPC_MAX_MESSAGE_SIZE)
-        ? config.getInt(ConfigKey.NODE_RPC_MAX_MESSAGE_SIZE) : GrpcUtil.DEFAULT_MAX_MESSAGE_SIZE;
+    long rpcMaxMessageSize = config.hasPath(ConfigKey.NODE_RPC_MAX_MESSAGE_SIZE)
+        ? config.getMemorySize(ConfigKey.NODE_RPC_MAX_MESSAGE_SIZE).toBytes()
+        : GrpcUtil.DEFAULT_MAX_MESSAGE_SIZE;
+    if (rpcMaxMessageSize < 0 || rpcMaxMessageSize > Integer.MAX_VALUE) {
+      throw new TronError("node.rpc.maxMessageSize must be non-negative and <= "
+          + Integer.MAX_VALUE + ", got: " + rpcMaxMessageSize, PARAMETER_INIT);
+    }
+    PARAMETER.maxMessageSize = (int) rpcMaxMessageSize;
+
+    long defaultMaxMessageSize = GrpcUtil.DEFAULT_MAX_MESSAGE_SIZE;
+    PARAMETER.httpMaxMessageSize = config.hasPath(ConfigKey.NODE_HTTP_MAX_MESSAGE_SIZE)
+        ? config.getMemorySize(ConfigKey.NODE_HTTP_MAX_MESSAGE_SIZE).toBytes()
+        : defaultMaxMessageSize;
+    if (PARAMETER.httpMaxMessageSize < 0) {
+      throw new TronError("node.http.maxMessageSize must be non-negative, got: "
+          + PARAMETER.httpMaxMessageSize, PARAMETER_INIT);
+    }
+    PARAMETER.jsonRpcMaxMessageSize = config.hasPath(ConfigKey.NODE_JSONRPC_MAX_MESSAGE_SIZE)
+        ? config.getMemorySize(ConfigKey.NODE_JSONRPC_MAX_MESSAGE_SIZE).toBytes()
+        : defaultMaxMessageSize;
+    if (PARAMETER.jsonRpcMaxMessageSize < 0) {
+      throw new TronError("node.jsonrpc.maxMessageSize must be non-negative, got: "
+          + PARAMETER.jsonRpcMaxMessageSize, PARAMETER_INIT);
+    }
 
     PARAMETER.maxHeaderListSize = config.hasPath(ConfigKey.NODE_RPC_MAX_HEADER_LIST_SIZE)
         ? config.getInt(ConfigKey.NODE_RPC_MAX_HEADER_LIST_SIZE)

framework/src/main/java/org/tron/core/config/args/ConfigKey.java

@@ -136,6 +136,7 @@ private ConfigKey() {
   public static final String NODE_HTTP_SOLIDITY_ENABLE = "node.http.solidityEnable";
   public static final String NODE_HTTP_PBFT_ENABLE = "node.http.PBFTEnable";
   public static final String NODE_HTTP_PBFT_PORT = "node.http.PBFTPort";
+  public static final String NODE_HTTP_MAX_MESSAGE_SIZE = "node.http.maxMessageSize";
 
   // node - jsonrpc
   public static final String NODE_JSONRPC_HTTP_FULLNODE_ENABLE =
@@ -150,6 +151,7 @@ private ConfigKey() {
   public static final String NODE_JSONRPC_MAX_SUB_TOPICS = "node.jsonrpc.maxSubTopics";
   public static final String NODE_JSONRPC_MAX_BLOCK_FILTER_NUM =
       "node.jsonrpc.maxBlockFilterNum";
+  public static final String NODE_JSONRPC_MAX_MESSAGE_SIZE = "node.jsonrpc.maxMessageSize";
 
   // node - dns
   public static final String NODE_DNS_TREE_URLS = "node.dns.treeUrls";

framework/src/main/java/org/tron/core/services/http/FullNodeHttpApiService.java

@@ -297,6 +297,7 @@ public FullNodeHttpApiService() {
     port = Args.getInstance().getFullNodeHttpPort();
     enable = isFullNode() && Args.getInstance().isFullNodeHttpEnable();
     contextPath = "/";
+    maxRequestSize = Args.getInstance().getHttpMaxMessageSize();
   }
 
   @Override

framework/src/main/java/org/tron/core/services/http/Util.java

@@ -327,10 +327,12 @@ public static Transaction packTransaction(String strTransaction, boolean selfTyp
     }
   }
 
+  @Deprecated
   public static void checkBodySize(String body) throws Exception {
     CommonParameter parameter = Args.getInstance();
-    if (body.getBytes().length > parameter.getMaxMessageSize()) {
-      throw new Exception("body size is too big, the limit is " + parameter.getMaxMessageSize());
+    if (body.getBytes().length > parameter.getHttpMaxMessageSize()) {
+      throw new Exception("body size is too big, the limit is "
+          + parameter.getHttpMaxMessageSize());
     }
   }
 

framework/src/main/java/org/tron/core/services/http/solidity/SolidityNodeHttpApiService.java

@@ -170,6 +170,7 @@ public SolidityNodeHttpApiService() {
     port = Args.getInstance().getSolidityHttpPort();
     enable = !isFullNode() && Args.getInstance().isSolidityNodeHttpEnable();
     contextPath = "/";
+    maxRequestSize = Args.getInstance().getHttpMaxMessageSize();
   }
 
   @Override

framework/src/main/java/org/tron/core/services/interfaceJsonRpcOnPBFT/JsonRpcServiceOnPBFT.java

@@ -19,6 +19,7 @@ public JsonRpcServiceOnPBFT() {
     port = Args.getInstance().getJsonRpcHttpPBFTPort();
     enable = isFullNode() && Args.getInstance().isJsonRpcHttpPBFTNodeEnable();
     contextPath = "/";
+    maxRequestSize = Args.getInstance().getJsonRpcMaxMessageSize();
   }
 
   @Override

framework/src/main/java/org/tron/core/services/interfaceJsonRpcOnSolidity/JsonRpcServiceOnSolidity.java

@@ -19,6 +19,7 @@ public JsonRpcServiceOnSolidity() {
     port = Args.getInstance().getJsonRpcHttpSolidityPort();
     enable = isFullNode() && Args.getInstance().isJsonRpcHttpSolidityNodeEnable();
     contextPath = "/";
+    maxRequestSize = Args.getInstance().getJsonRpcMaxMessageSize();
   }
 
   @Override

framework/src/main/java/org/tron/core/services/interfaceOnPBFT/http/PBFT/HttpApiOnPBFTService.java

@@ -173,6 +173,7 @@ public HttpApiOnPBFTService() {
     port = Args.getInstance().getPBFTHttpPort();
     enable = isFullNode() && Args.getInstance().isPBFTHttpEnable();
     contextPath = "/walletpbft";
+    maxRequestSize = Args.getInstance().getHttpMaxMessageSize();
   }
 
   @Override

framework/src/main/java/org/tron/core/services/interfaceOnSolidity/http/solidity/HttpApiOnSolidityService.java

@@ -181,6 +181,7 @@ public HttpApiOnSolidityService() {
     port = Args.getInstance().getSolidityHttpPort();
     enable = isFullNode() && Args.getInstance().isSolidityNodeHttpEnable();
     contextPath = "/";
+    maxRequestSize = Args.getInstance().getHttpMaxMessageSize();
   }
 
   @Override

framework/src/main/java/org/tron/core/services/jsonrpc/FullNodeJsonRpcHttpService.java

@@ -24,6 +24,7 @@ public FullNodeJsonRpcHttpService() {
     port = Args.getInstance().getJsonRpcHttpFullNodePort();
     enable = isFullNode() && Args.getInstance().isJsonRpcHttpFullNodeEnable();
     contextPath = "/";
+    maxRequestSize = Args.getInstance().getJsonRpcMaxMessageSize();
   }
 
   @Override

framework/src/main/resources/config.conf

@@ -223,6 +223,11 @@ node {
     solidityPort = 8091
     PBFTEnable = true
     PBFTPort = 8092
+
+    # The maximum request body size for HTTP API, default 4M (4194304 bytes).
+    # Supports human-readable sizes: 4m, 4MB, 4194304. Must be non-negative.
+    # Setting to 0 rejects all non-empty request bodies (not "unlimited").
+    # maxMessageSize = 4m
   }
 
   rpc {
@@ -248,8 +253,10 @@ node {
     # Connection lasting longer than which will be gracefully terminated
     # maxConnectionAgeInMillis =
 
-    # The maximum message size allowed to be received on the server, default 4MB
-    # maxMessageSize =
+    # The maximum message size allowed to be received on the server, default 4M (4194304 bytes).
+    # Supports human-readable sizes: 4m, 4MB, 4194304. Must be non-negative.
+    # Setting to 0 rejects all non-empty request bodies (not "unlimited").
+    # maxMessageSize = 4m
 
     # The maximum size of header list allowed to be received, default 8192
     # maxHeaderListSize =
@@ -357,6 +364,11 @@ node {
   # openHistoryQueryWhenLiteFN = false
 
   jsonrpc {
+    # The maximum request body size for JSON-RPC API, default 4M (4194304 bytes).
+    # Supports human-readable sizes: 4m, 4MB, 4194304. Must be non-negative.
+    # Setting to 0 rejects all non-empty request bodies (not "unlimited").
+    # maxMessageSize = 4m
+
     # Note: Before release_4.8.1, if you turn on jsonrpc and run it for a while and then turn it off,
     # you will not be able to get the data from eth_getLogs for that period of time. Default: false
     # httpFullNodeEnable = false