Skip to content

Return clear HTTP 413 when request body exceeds max_request_body_size#2841

Closed
arpitjain099 wants to merge 1 commit into
sigstore:mainfrom
arpitjain099:fix/max-body-413
Closed

Return clear HTTP 413 when request body exceeds max_request_body_size#2841
arpitjain099 wants to merge 1 commit into
sigstore:mainfrom
arpitjain099:fix/max-body-413

Conversation

@arpitjain099

Copy link
Copy Markdown

Summary

Fixes #2808.

When max_request_body_size is configured, the maxBodySize middleware in pkg/generated/restapi/configure_rekor_server.go wraps the request body with http.MaxBytesReader. Once the limit is exceeded the read fails, but the way that failure was surfaced to clients depended entirely on how the error happened to be wrapped before it reached logAndServeError:

  • a bare *http.MaxBytesError fell through to an opaque 500 with body http: request body too large
  • a top-level *errors.ParseError produced a 400 that leaked the same internal http: request body too large text
  • only a CompositeError holding a ParseError was converted to 413, and even then the message was a generic Request Entity Too Large that never named the limit

That is why the reporter (uploading with cosign against the public instance) saw only a generic giving up after N attempt(s) retry failure with no hint that the body size limit was the cause, and why the limit itself was effectively undiscoverable.

This change detects the underlying *http.MaxBytesError across all of those shapes through a single helper (asMaxBytesError) and responds with 413 Request Entity Too Large, including the configured limit in bytes (read straight from MaxBytesError.Limit) so operators and clients can see exactly why the request was rejected. *errors.ParseError is handled explicitly because it does not implement Unwrap, so errors.As cannot reach its Reason on its own; everything else (bare error, or one nested in a CompositeError, which does unwrap) is caught by errors.As. The detailed error is still logged server-side, and it is now logged at warn rather than error since it is a client error.

This edit is in the hand-maintained region of configure_rekor_server.go (the file carries the go-swagger This file is safe to edit. Once it exists it will not be overwritten marker, and the prior 413 handling lived in this same region).

How to verify:

go test ./pkg/generated/restapi/ -run 'TestMaxBodySize|TestAsMaxBytesError' -v

Behaviour for an over-limit body with the fix applied:

  • before: 500 {"code":500,"message":"http: request body too large"} (or a 400 leaking the same text, depending on the consumer)
  • after: 413 {"code":413,"message":"request body exceeds max_request_body_size limit of 1024 bytes"}

The new tests cover each error shape, an under-limit request (must stay a success, not a false-positive 413), and the detection helper directly.

Release Note

Rekor now returns a clear 413 Request Entity Too Large response that names the configured byte limit when a request body exceeds max_request_body_size, instead of an opaque 500/400 with no explanation. The detailed error continues to be logged server-side only.

Documentation

None.

When max_request_body_size is set, the maxBodySize middleware wraps the
request body with http.MaxBytesReader. The resulting read error only
surfaced to clients as a clear 413 in one wrapping shape (a CompositeError
holding a ParseError); a bare *http.MaxBytesError fell through to an opaque
500 and a top-level ParseError produced a 400 that leaked the internal
'http: request body too large' text. Clients (for example cosign) saw only
a generic retry failure with no indication that the body size limit was hit.

Detect the *http.MaxBytesError across all of these shapes via a single
helper and respond with 413 Request Entity Too Large, naming the configured
limit in bytes so operators and clients can see why the request was
rejected. ParseError is handled explicitly because it does not implement
Unwrap, so errors.As cannot reach its Reason on its own.

Add unit tests covering each error shape, an under-limit request, and the
detection helper directly.

Fixes #2808

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 requested a review from a team as a code owner June 3, 2026 01:08
@Hayden-IO

Copy link
Copy Markdown
Contributor

There is already an open PR for this - #2813

@Hayden-IO Hayden-IO closed this Jun 3, 2026
@arpitjain099

Copy link
Copy Markdown
Author

There is already an open PR for this - #2813

@Hayden-IO I see. Noted. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Rekor error handling on max_request_body_size

2 participants