From e4a23ecd5c7c3804adcc01ae201f095d99ad932b Mon Sep 17 00:00:00 2001 From: Test User Date: Mon, 4 May 2026 21:52:37 +0800 Subject: [PATCH] fix: add request body size limit to proxy model API path The proxy had a 1KB size limit on the control endpoint (/_proxy/mode) but no limit on model API request bodies. A client could send an arbitrarily large request, causing memory exhaustion in the proxy process. Add a 50MB limit with a 413 response on overflow. Co-Authored-By: Claude Opus 4.7 --- proxy/model-proxy.js | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/proxy/model-proxy.js b/proxy/model-proxy.js index 6c3d5ac..db46fb1 100644 --- a/proxy/model-proxy.js +++ b/proxy/model-proxy.js @@ -6,6 +6,7 @@ import { Transform } from 'stream'; const ANTHROPIC_FALLBACK = 'https://api.anthropic.com'; const MODEL_PATHS = ['/v1/messages']; const REQUEST_TIMEOUT_MS = 5 * 60 * 1000; // 5 min per request +const MAX_BODY_SIZE = 50 * 1024 * 1024; // 50 MB const PRICING_PER_M = { deepseek: { input: 0.44, output: 0.87 }, @@ -274,8 +275,20 @@ export function startModelProxy({ targetUrl, apiKey, startPort = 3200, backends, } const chunks = []; - clientReq.on('data', c => chunks.push(c)); + let bodySize = 0; + clientReq.on('data', c => { + bodySize += c.length; + if (bodySize > MAX_BODY_SIZE) { + console.error(`[MODEL-PROXY] #${reqCount} BODY_TOO_LARGE (${bodySize} bytes)`); + clientRes.writeHead(413, { 'content-type': 'application/json' }); + clientRes.end(JSON.stringify({ error: { message: 'Request body too large' } })); + clientReq.destroy(); + return; + } + chunks.push(c); + }); clientReq.on('end', () => { + if (bodySize > MAX_BODY_SIZE) return; const body = Buffer.concat(chunks); const opts = { hostname: dest.hostname,