Harden Node adapter HTTP server defaults and request body handling (withastro#15759)

* Harden Node adapter HTTP server defaults and add global body size limit

* Make bodySizeLimit a user-configurable option in the Node adapter

* Update changeset: bump @astrojs/node to minor for new bodySizeLimit option

* Update .changeset/harden-node-server-defaults.md

Co-authored-by: Sarah Rainsberger <5098874+sarah11918@users.noreply.github.com>

* Remove timeout defaults

* Remove timeout hardening tests

---------

Co-authored-by: astro-actions[bot] <houston@astro.build>
Co-authored-by: Sarah Rainsberger <5098874+sarah11918@users.noreply.github.com>

Author: 3 people

.changeset/harden-node-server-defaults.md

@@ -0,0 +1,20 @@
+---
+'astro': patch
+'@astrojs/node': minor
+---
+
+Adds a new `bodySizeLimit` option to the `@astrojs/node` adapter
+
+You can now configure a maximum allowed request body size for your Node.js standalone server. The default limit is 1 GB. Set the value in bytes, or pass `0` to disable the limit entirely:
+
+```js
+import node from '@astrojs/node';
+import { defineConfig } from 'astro/config';
+
+export default defineConfig({
+  adapter: node({
+    mode: 'standalone',
+    bodySizeLimit: 1024 * 1024 * 100, // 100 MB
+  }),
+});
+```

packages/astro/src/core/app/node.ts

@@ -39,8 +39,14 @@ export function createRequest(
 	{
 		skipBody = false,
 		allowedDomains = [],
+		bodySizeLimit,
 		port: serverPort,
-	}: { skipBody?: boolean; allowedDomains?: Partial<RemotePattern>[]; port?: number } = {},
+	}: {
+		skipBody?: boolean;
+		allowedDomains?: Partial<RemotePattern>[];
+		bodySizeLimit?: number;
+		port?: number;
+	} = {},
 ): Request {
 	const controller = new AbortController();
 
@@ -103,7 +109,7 @@ export function createRequest(
 	};
 	const bodyAllowed = options.method !== 'HEAD' && options.method !== 'GET' && skipBody === false;
 	if (bodyAllowed) {
-		Object.assign(options, makeRequestBody(req));
+		Object.assign(options, makeRequestBody(req, bodySizeLimit));
 	}
 
 	const request = new Request(url, options);
@@ -322,7 +328,7 @@ function makeRequestHeaders(req: NodeRequest): Headers {
 	return headers;
 }
 
-function makeRequestBody(req: NodeRequest): RequestInit {
+function makeRequestBody(req: NodeRequest, bodySizeLimit?: number): RequestInit {
 	if (req.body !== undefined) {
 		if (typeof req.body === 'string' && req.body.length > 0) {
 			return { body: Buffer.from(req.body) };
@@ -338,27 +344,55 @@ function makeRequestBody(req: NodeRequest): RequestInit {
 			req.body !== null &&
 			typeof (req.body as any)[Symbol.asyncIterator] !== 'undefined'
 		) {
-			return asyncIterableToBodyProps(req.body as AsyncIterable<any>);
+			return asyncIterableToBodyProps(req.body as AsyncIterable<any>, bodySizeLimit);
 		}
 	}
 
 	// Return default body.
-	return asyncIterableToBodyProps(req);
+	return asyncIterableToBodyProps(req, bodySizeLimit);
 }
 
-function asyncIterableToBodyProps(iterable: AsyncIterable<any>): RequestInit {
+function asyncIterableToBodyProps(
+	iterable: AsyncIterable<any>,
+	bodySizeLimit?: number,
+): RequestInit {
+	const source = bodySizeLimit != null ? limitAsyncIterable(iterable, bodySizeLimit) : iterable;
 	return {
 		// Node uses undici for the Request implementation. Undici accepts
 		// a non-standard async iterable for the body.
 		// @ts-expect-error
-		body: iterable,
+		body: source,
 		// The duplex property is required when using a ReadableStream or async
 		// iterable for the body. The type definitions do not include the duplex
 		// property because they are not up-to-date.
 		duplex: 'half',
 	};
 }
 
+/**
+ * Wraps an async iterable with a size limit. If the total bytes received
+ * exceed the limit, an error is thrown.
+ */
+async function* limitAsyncIterable(
+	iterable: AsyncIterable<any>,
+	limit: number,
+): AsyncGenerator<any> {
+	let received = 0;
+	for await (const chunk of iterable) {
+		const byteLength =
+			chunk instanceof Uint8Array
+				? chunk.byteLength
+				: typeof chunk === 'string'
+					? Buffer.byteLength(chunk)
+					: 0;
+		received += byteLength;
+		if (received > limit) {
+			throw new Error(`Body size limit exceeded: received more than ${limit} bytes`);
+		}
+		yield chunk;
+	}
+}
+
 function getAbortControllerCleanup(req?: NodeRequest): (() => void) | undefined {
 	if (!req) return undefined;
 	const cleanup = Reflect.get(req, nodeRequestAbortControllerCleanupSymbol);

packages/astro/test/units/app/node.test.js

@@ -855,6 +855,107 @@ describe('node', () => {
 		});
 	});
 
+	describe('body size limit', () => {
+		it('rejects request body that exceeds the configured bodySizeLimit', async () => {
+			const { Readable } = await import('node:stream');
+			// Create a stream that produces data exceeding the limit
+			const limit = 1024; // 1KB limit
+			const chunks = [];
+			// Create 2KB of data (exceeds 1KB limit)
+			for (let i = 0; i < 4; i++) {
+				chunks.push(Buffer.alloc(512, 0x41));
+			}
+			const stream = Readable.from(chunks);
+			const req = {
+				...mockNodeRequest,
+				method: 'POST',
+				headers: {
+					...mockNodeRequest.headers,
+					'content-type': 'application/octet-stream',
+				},
+				socket: mockNodeRequest.socket,
+				[Symbol.asyncIterator]: stream[Symbol.asyncIterator].bind(stream),
+			};
+
+			const request = createRequest(req, { bodySizeLimit: limit });
+
+			// The request should be created, but reading the body should fail
+			await assert.rejects(
+				async () => {
+					const reader = request.body.getReader();
+					while (true) {
+						const { done } = await reader.read();
+						if (done) break;
+					}
+				},
+				(err) => {
+					assert.ok(err.message.includes('Body size limit exceeded'));
+					return true;
+				},
+			);
+		});
+
+		it('allows request body within the configured bodySizeLimit', async () => {
+			const { Readable } = await import('node:stream');
+			const limit = 2048; // 2KB limit
+			const data = Buffer.alloc(1024, 0x42); // 1KB of data (within limit)
+			const stream = Readable.from([data]);
+			const req = {
+				...mockNodeRequest,
+				method: 'POST',
+				headers: {
+					...mockNodeRequest.headers,
+					'content-type': 'application/octet-stream',
+				},
+				socket: mockNodeRequest.socket,
+				[Symbol.asyncIterator]: stream[Symbol.asyncIterator].bind(stream),
+			};
+
+			const request = createRequest(req, { bodySizeLimit: limit });
+
+			// Reading the body should succeed
+			const reader = request.body.getReader();
+			const chunks = [];
+			while (true) {
+				const { done, value } = await reader.read();
+				if (done) break;
+				chunks.push(value);
+			}
+			const totalSize = chunks.reduce((sum, chunk) => sum + chunk.byteLength, 0);
+			assert.equal(totalSize, 1024);
+		});
+
+		it('does not enforce body size limit when bodySizeLimit is not set', async () => {
+			const { Readable } = await import('node:stream');
+			// Create 2KB of data with no limit configured
+			const data = Buffer.alloc(2048, 0x43);
+			const stream = Readable.from([data]);
+			const req = {
+				...mockNodeRequest,
+				method: 'POST',
+				headers: {
+					...mockNodeRequest.headers,
+					'content-type': 'application/octet-stream',
+				},
+				socket: mockNodeRequest.socket,
+				[Symbol.asyncIterator]: stream[Symbol.asyncIterator].bind(stream),
+			};
+
+			const request = createRequest(req);
+
+			// Reading the body should succeed without limit
+			const reader = request.body.getReader();
+			const chunks = [];
+			while (true) {
+				const { done, value } = await reader.read();
+				if (done) break;
+				chunks.push(value);
+			}
+			const totalSize = chunks.reduce((sum, chunk) => sum + chunk.byteLength, 0);
+			assert.equal(totalSize, 2048);
+		});
+	});
+
 	describe('abort signal', () => {
 		it('aborts the request.signal when the underlying socket closes', () => {
 			const socket = new EventEmitter();

packages/integrations/node/src/index.ts

@@ -78,6 +78,7 @@ export default function createIntegration(userOptions: UserOptions): AstroIntegr
 								host: _config.server.host,
 								port: _config.server.port,
 								staticHeaders: userOptions.staticHeaders ?? false,
+								bodySizeLimit: userOptions.bodySizeLimit ?? 1024 * 1024 * 1024,
 							}),
 						],
 					},

packages/integrations/node/src/serve-app.ts

@@ -75,11 +75,18 @@ export function createAppHandler(app: BaseApp, options: Options): RequestHandler
 		return new Response(null, { status: 404 });
 	};
 
+	// Use the configured body size limit. A value of 0 or Infinity disables the limit.
+	const effectiveBodySizeLimit =
+		options.bodySizeLimit === 0 || options.bodySizeLimit === Number.POSITIVE_INFINITY
+			? undefined
+			: options.bodySizeLimit;
+
 	return async (req, res, next, locals) => {
 		let request: Request;
 		try {
 			request = createRequest(req, {
 				allowedDomains: app.getAllowedDomains?.() ?? [],
+				bodySizeLimit: effectiveBodySizeLimit,
 				port: options.port,
 			});
 		} catch (err) {

packages/integrations/node/src/types.ts

@@ -20,6 +20,16 @@ export interface UserOptions {
 	 * - The CSP header of the static pages is added when CSP support is enabled.
 	 */
 	staticHeaders?: boolean;
+
+	/**
+	 * Maximum allowed request body size in bytes. Requests with bodies larger than
+	 * this limit will throw an error when the body is consumed.
+	 *
+	 * Set to `Infinity` or `0` to disable the limit.
+	 *
+	 * @default {1073741824} 1GB
+	 */
+	bodySizeLimit?: number;
 }
 
 export interface Options extends UserOptions {
@@ -28,6 +38,7 @@ export interface Options extends UserOptions {
 	server: string;
 	client: string;
 	staticHeaders: boolean;
+	bodySizeLimit: number;
 }
 
 export type RequestHandler = (...args: RequestHandlerParams) => void | Promise<void>;