http: only parse request bodies for methods which should have bodies (…

…#1248)
getodk · Oct 29, 2024 · 8caa8c3 · 8caa8c3
1 parent cc7090e
commit 8caa8c3
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 19 deletions.
diff --git a/lib/http/service.js b/lib/http/service.js
@@ -37,9 +37,11 @@ module.exports = (container) => {
   const defaultJsonLimit = bodyParser.json({ type: 'application/json', limit: '250kb' });
   const largeJsonLimit = bodyParser.json({ type: 'application/json', limit: '100mb' });
   const largeJsonUrlMatch = match('/:apiVersion/projects/:id/datasets/:name/entities');
-
-  service.use((req, res, next) => {
-    if (req.method === 'POST' && largeJsonUrlMatch(req.path))
+  // only apply body-parser middleware to request types which should have a body.
+  service.patch('/*', defaultJsonLimit);
+  service.put('/*', defaultJsonLimit);
+  service.post('/*', (req, res, next) => {
+    if (largeJsonUrlMatch(req.path))
       return largeJsonLimit(req, res, next);
     return defaultJsonLimit(req, res, next);
   });

diff --git a/test/integration/api/entities.js b/test/integration/api/entities.js
@@ -3845,21 +3845,5 @@ describe('Entities API', () => {
           body.success.should.be.true();
         });
     }));
-
-    it('should not allow larger body on GET request', testDataset(async (service) => {
-      const asAlice = await service.login('alice');
-
-      await asAlice.get('/v1/projects/1/datasets/people/entities?foo=bar')
-        .send({ source: { name: 'file.csv' }, entities: [{ label: 'x'.repeat(256001) }] })
-        .expect(500)
-        .then(({ body }) => {
-          body.message.should.equal('Internal Server Error');
-        });
-
-      // GET on this endpoint with payload doens't really make sense
-      await asAlice.get('/v1/projects/1/datasets/people/entities?foo=bar')
-        .send({ source: { name: 'file.csv' }, entities: [{ label: 'x'.repeat(10) }] })
-        .expect(200);
-    }));
   });
 });