Skip to content

feat(gateway): add content size limits for responses#1138

Open
lidel wants to merge 3 commits intomainfrom
feat/max-deserialized-response-size
Open

feat(gateway): add content size limits for responses#1138
lidel wants to merge 3 commits intomainfrom
feat/max-deserialized-response-size

Conversation

@lidel
Copy link
Copy Markdown
Member

@lidel lidel commented Apr 10, 2026
edited
Loading

Add two new Config options for gateway operators to limit responses based on content size read from the UnixFS root block:

  • MaxDeserializedResponseSize: caps deserialized responses only, trustless formats (raw, CAR) are not affected
  • MaxUnixFSDAGResponseSize: caps all response formats including raw blocks, CAR, and TAR

Both return 410 Gone with a message directing users to run their own IPFS node for large content.

Integration points

  • gateway.go: add config fields with documentation
  • handler.go: add exceedsMax* helper methods
  • handler_defaults.go: check both limits using bytesSize
  • handler_block.go: check DAG limit using existing block size
  • handler_codec.go: check DAG limit using existing block size
  • handler_car.go: conditional Head call only when limit is set
  • handler_tar.go: check DAG limit using existing file.Size()
  • gateway_test.go: tests for both limits across all formats
  • CHANGELOG.md: document new config options

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 10, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 86.48649% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.02%. Comparing base (956010c) to head (deb5964).

Files with missing lines Patch % Lines
gateway/handler_tar.go 0.00% 2 Missing and 1 partial ⚠️
gateway/handler_codec.go 0.00% 1 Missing and 1 partial ⚠️

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1138      +/-   ##
==========================================
+ Coverage   62.99%   63.02%   +0.03%     
==========================================
  Files         266      266              
  Lines       26661    26698      +37     
==========================================
+ Hits        16794    16827      +33     
- Misses       8153     8155       +2     
- Partials     1714     1716       +2
Files with missing lines Coverage Δ
gateway/gateway.go 79.22% <ø> (ø)
gateway/handler.go 79.17% <100.00%> (+0.58%) ⬆️
gateway/handler_block.go 66.66% <100.00%> (+2.38%) ⬆️
gateway/handler_car.go 80.68% <100.00%> (+0.97%) ⬆️
gateway/handler_defaults.go 59.06% <100.00%> (+2.63%) ⬆️
gateway/handler_codec.go 61.58% <0.00%> (-0.77%) ⬇️
gateway/handler_tar.go 70.27% <0.00%> (-6.21%) ⬇️

... and 13 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@lidel
feat(gateway): add content size limits for responses
50371cd 
Add two new Config options for gateway operators to limit
responses based on content size read from the UnixFS root block:

- MaxDeserializedResponseSize: caps deserialized responses only,
  trustless formats (raw, CAR) are not affected
- MaxUnixFSDAGResponseSize: caps all response formats including
  raw blocks, CAR, and TAR

Both return 501 Not Implemented with a message directing users to
run their own IPFS node for large content.

- gateway.go: add config fields with documentation
- handler.go: add exceedsMax* helper methods
- handler_defaults.go: check both limits using bytesSize
- handler_block.go: check DAG limit using existing block size
- handler_codec.go: check DAG limit using existing block size
- handler_car.go: conditional Head call only when limit is set
- handler_tar.go: check DAG limit using existing file.Size()
- gateway_test.go: tests for both limits across all formats
- CHANGELOG.md: document new config options
@lidel lidel force-pushed the feat/max-deserialized-response-size branch from 7d04de7 to 50371cd Compare April 10, 2026 15:48
@lidel lidel mentioned this pull request Apr 10, 2026
Open
1 task
lidel added a commit to ipfs/rainbow that referenced this pull request Apr 10, 2026
@lidel
feat: add content size limit flags
7e032af 
Wire boxo gateway size limit options as CLI flags:

- --max-deserialized-response-size / RAINBOW_MAX_DESERIALIZED_RESPONSE_SIZE
- --max-unixfs-dag-response-size / RAINBOW_MAX_UNIXFS_DAG_RESPONSE_SIZE

Both disabled by default (0). When set, content exceeding the limit
returns 501 directing users to run their own IPFS node.

Depends on ipfs/boxo#1138.
@lidel lidel marked this pull request as ready for review April 10, 2026 17:44
@lidel lidel requested a review from a team as a code owner April 10, 2026 17:44
@lidel
fix(gateway): use 410 Gone with Cache-Control for size limits
eab8ec2 
410 Gone is heuristically cacheable per RFC 9110 and cached by CDNs
(Cloudflare, Fastly) by default, unlike 501 which is not cached in
practice. This is consistent with how denylist blocking already uses
410 in this codebase.

Set Cache-Control with 1 week max-age and 31 day stale-while-revalidate
(same as generated directory listings) so CDN edges cache the rejection
without repeated backend hits.
@gammazero
Copy link
Copy Markdown
Contributor

gammazero commented Apr 14, 2026

Triage: test in staging before including in release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@guillaumemichel guillaumemichel guillaumemichel approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lidel @gammazero @guillaumemichel