[middleware]: add upper bound to cloneBodyStream

ztanner · ztanner · commit 7f21566618ab · 2025-10-06T06:40:42.000-07:00
diff --git a/packages/next/errors.json b/packages/next/errors.json
@@ -850,5 +850,6 @@
   "849": "Route %s with \\`dynamic = \"error\"\\` couldn't be rendered statically because it used \\`cookies()\\`. See more info here: https://nextjs.org/docs/app/building-your-application/rendering/static-and-dynamic#dynamic-rendering",
   "850": "metadataBase is not a valid URL: %s",
   "851": "Pass either `webpack` or `turbopack`, not both.",
-  "852": "Only custom servers can pass `webpack`, `turbo`, or `turbopack`."
+  "852": "Only custom servers can pass `webpack`, `turbo`, or `turbopack`.",
+  "853": "Request body exceeded %s"
 }
diff --git a/packages/next/src/server/body-streams.ts b/packages/next/src/server/body-streams.ts
@@ -1,6 +1,9 @@
 import type { IncomingMessage } from 'http'
 import type { Readable } from 'stream'
 import { PassThrough } from 'stream'
+import bytes from 'next/dist/compiled/bytes'
+
+const DEFAULT_BODY_CLONE_SIZE_LIMIT = 50 * 1024 * 1024 // 50MB
 
 export function requestToBodyStream(
   context: { ReadableStream: typeof ReadableStream },
@@ -76,13 +79,38 @@ export function getCloneableBody<T extends IncomingMessage>(
       const input = buffered ?? readable
       const p1 = new PassThrough()
       const p2 = new PassThrough()
+
+      let bytesRead = 0
+      const sizeLimit = DEFAULT_BODY_CLONE_SIZE_LIMIT
+      let limitExceeded = false
+
       input.on('data', (chunk) => {
+        if (limitExceeded) return
+
+        bytesRead += chunk.length
+
+        if (bytesRead > sizeLimit) {
+          limitExceeded = true
+          const error = new Error(
+            `Request body exceeded ${bytes.format(sizeLimit)}`
+          )
+          p1.destroy(error)
+          p2.destroy(error)
+          return
+        }
+
         p1.push(chunk)
         p2.push(chunk)
       })
       input.on('end', () => {
-        p1.push(null)
-        p2.push(null)
+        if (!limitExceeded) {
+          p1.push(null)
+          p2.push(null)
+        }
+      })
+      input.on('error', (err) => {
+        p1.destroy(err)
+        p2.destroy(err)
       })
       buffered = p2
       return p1
diff --git a/test/e2e/middleware-fetches-with-body/index.test.ts b/test/e2e/middleware-fetches-with-body/index.test.ts
@@ -37,6 +37,23 @@ describe('Middleware fetches with body', () => {
             res.json({ rawBody, body: req.body })
           }
         `,
+        'app/api/test-clone-limit/route.js': `
+          import { NextResponse } from 'next/server'
+
+          export async function POST(request) {
+            try {
+              const buffer = await request.arrayBuffer()
+              return NextResponse.json({
+                success: true,
+                bodySize: buffer.byteLength
+              })
+            } catch (err) {
+              return NextResponse.json({
+                error: err.message
+              }, { status: 500 })
+            }
+          }
+        `,
         'middleware.js': `
           import { NextResponse } from 'next/server';
 
@@ -308,4 +325,46 @@ describe('Middleware fetches with body', () => {
       }
     }
   })
+
+  describe('cloneBodyStream size limit', () => {
+    if (!(global as any).isNextDeploy) {
+      it('should reject body over 50MB when cloning for middleware', async () => {
+        const bodySize = 51 * 1024 * 1024
+        const body = 'Z'.repeat(bodySize)
+
+        const res = await fetchViaHTTP(
+          next.url,
+          '/api/test-clone-limit',
+          {},
+          {
+            body,
+            method: 'POST',
+          }
+        )
+
+        expect(res.status).toBe(400)
+      })
+
+      it('should accept body under 50MB when cloning for middleware', async () => {
+        const bodySize = 10 * 1024 * 1024
+        const body = 'Y'.repeat(bodySize)
+
+        const res = await fetchViaHTTP(
+          next.url,
+          '/api/test-clone-limit',
+          {},
+          {
+            body,
+            method: 'POST',
+          }
+        )
+
+        // Should succeed because we're under the 50MB clone limit
+        expect(res.status).toBe(200)
+        const data = await res.json()
+        expect(data.success).toBe(true)
+        expect(data.bodySize).toBe(bodySize)
+      })
+    }
+  })
 })

Original file line number	Diff line number	Diff line change
`@@ -850,5 +850,6 @@`
`850`	`850`	"849": "Route %s with \\`dynamic = \"error\"\\` couldn't be rendered statically because it used \\`cookies()\\`. See more info here: https://nextjs.org/docs/app/building-your-application/rendering/static-and-dynamic#dynamic-rendering",
`851`	`851`	`"850": "metadataBase is not a valid URL: %s",`
`852`	`852`	"851": "Pass either `webpack` or `turbopack`, not both.",
`853`		- "852": "Only custom servers can pass `webpack`, `turbo`, or `turbopack`."
	`853`	+ "852": "Only custom servers can pass `webpack`, `turbo`, or `turbopack`.",
	`854`	`+ "853": "Request body exceeded %s"`
`854`	`855`	`}`