Merge branch 'release/v1.0.2'

Author: rousan

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "routerify-multipart"
-version = "1.0.1"
+version = "1.0.2"
 description = "A multipart/form-data parser for Routerify."
 homepage = "https://github.com/routerify/routerify-multipart"
 repository = "https://github.com/routerify/routerify-multipart"
@@ -25,7 +25,7 @@ json = ["multer/json"]
 [dependencies]
 routerify = "1.1"
 hyper = "0.13"
-multer = "1.0"
+multer = "1.1"
 
 [dev-dependencies]
 tokio = { version = "0.2", features = ["full"] }

README.md

@@ -88,6 +88,67 @@ async fn main() {
 }
 ``` 
 
+## Prevent DDoS Attack
+This crate also provides some APIs to prevent potential `DDoS attack` with fine grained control. It's recommended to add some constraints
+on field (specially text field) size to avoid potential `DDoS attack` from attackers running the server out of memory.
+
+An example:
+
+```rust
+use hyper::{Body, Request, Response, Server, StatusCode};
+use routerify::{Error, Router, RouterService};
+// Import `RequestMultipartExt` trait and other types.
+use routerify_multipart::{RequestMultipartExt, Constraints, SizeLimit};
+use std::net::SocketAddr;
+
+// A handler to handle file uploading in `multipart/form-data` content-type.
+async fn file_upload_handler(req: Request<Body>) -> Result<Response<Body>, Error> {
+    // Create some constraints to be applied to the fields to prevent DDoS attack.
+     let constraints = Constraints::new()
+         // We only accept `my_text_field` and `my_file_field` fields,
+         // For any unknown field, we will throw an error.
+         .allowed_fields(vec!["my_text_field", "my_file_field"])
+         .size_limit(
+             SizeLimit::new()
+                 // Set 15mb as size limit for the whole stream body.
+                 .whole_stream(15 * 1024 * 1024)
+                 // Set 10mb as size limit for all fields.
+                 .per_field(10 * 1024 * 1024)
+                 // Set 30kb as size limit for our text field only.
+                 .for_field("my_text_field", 30 * 1024),
+          );
+
+    // Convert the request into a `Multipart` instance.
+    let mut multipart = match req.into_multipart_with_constraints(constraints) {
+        Ok(m) => m,
+        Err(err) => {
+            return Ok(Response::builder()
+                .status(StatusCode::BAD_REQUEST)
+                .body(Body::from(format!("Bad Request: {}", err)))
+                .unwrap());
+        }
+    };
+
+    // Iterate over the fields.
+    while let Some(mut field) = multipart.next_field().await.map_err(|err| Error::wrap(err))? {
+        // Get the field name.
+        let name = field.name();
+        // Get the field's filename if provided in "Content-Disposition" header.
+        let file_name = field.file_name();
+
+        println!("Name {:?}, File name: {:?}", name, file_name);
+
+        // Process the field data chunks e.g. store them in a file.
+        while let Some(chunk) = field.chunk().await.map_err(|err| Error::wrap(err))? {
+            // Do something with field chunk.
+            println!("Chunk: {:?}", chunk);
+        }
+    }
+
+    Ok(Response::new(Body::from("Success")))
+}
+```
+
 ## Contributing
 
 Your PRs and suggestions are always welcome.

examples/README.md

@@ -0,0 +1,15 @@
+# Examples of using routerify-multipart
+
+These examples show of how to do common tasks using `routerify-multipart`.
+
+Please visit: [Docs](https://docs.rs/routerify-multipart) for the documentation.
+
+Run an example:
+
+```sh
+ cargo run --example example_name
+```
+
+* [`simple_example`](simple_example.rs) - A basic example using `routerify-multipart`.
+
+* [`prevent_ddos_attack`](prevent_ddos_attack.rs) - Shows how to apply some rules to prevent potential `DDoS` attack while handling `multipart/form-data`.

examples/prevent_ddos_attack.rs

@@ -0,0 +1,77 @@
+use hyper::{Body, Request, Response, Server, StatusCode};
+use routerify::{Error, Router, RouterService};
+// Import `RequestMultipartExt` trait and other types.
+use routerify_multipart::{Constraints, RequestMultipartExt, SizeLimit};
+use std::net::SocketAddr;
+
+// A handler to handle file uploading in `multipart/form-data` content-type.
+async fn file_upload_handler(req: Request<Body>) -> Result<Response<Body>, Error> {
+    // Create some constraints to be applied to the fields to prevent DDoS attack.
+    let constraints = Constraints::new()
+        // We only accept `my_text_field` and `my_file_field` fields,
+        // For any unknown field, we will throw an error.
+        .allowed_fields(vec!["my_text_field", "my_file_field"])
+        .size_limit(
+            SizeLimit::new()
+                // Set 15mb as size limit for the whole stream body.
+                .whole_stream(15 * 1024 * 1024)
+                // Set 10mb as size limit for all fields.
+                .per_field(10 * 1024 * 1024)
+                // Set 30kb as size limit for our text field only.
+                .for_field("my_text_field", 30 * 1024),
+        );
+
+    // Convert the request into a `Multipart` instance.
+    let mut multipart = match req.into_multipart_with_constraints(constraints) {
+        Ok(m) => m,
+        Err(err) => {
+            return Ok(Response::builder()
+                .status(StatusCode::BAD_REQUEST)
+                .body(Body::from(format!("Bad Request: {}", err)))
+                .unwrap());
+        }
+    };
+
+    // Iterate over the fields.
+    while let Some(mut field) = multipart.next_field().await.map_err(|err| Error::wrap(err))? {
+        // Get the field name.
+        let name = field.name();
+        // Get the field's filename if provided in "Content-Disposition" header.
+        let file_name = field.file_name();
+
+        println!("Name {:?}, File name: {:?}", name, file_name);
+
+        // Process the field data chunks e.g. store them in a file.
+        while let Some(chunk) = field.chunk().await.map_err(|err| Error::wrap(err))? {
+            // Do something with field chunk.
+            println!("Chunk: {:?}", chunk);
+        }
+    }
+
+    Ok(Response::new(Body::from("Success")))
+}
+
+// Create a router.
+fn router() -> Router<Body, Error> {
+    // Register the handlers.
+    Router::builder().post("/upload", file_upload_handler).build().unwrap()
+}
+
+#[tokio::main]
+async fn main() {
+    let router = router();
+
+    // Create a Service from the router above to handle incoming requests.
+    let service = RouterService::new(router).unwrap();
+
+    // The address on which the server will be listening.
+    let addr = SocketAddr::from(([127, 0, 0, 1], 3001));
+
+    // Create a server by passing the created service to `.serve` method.
+    let server = Server::bind(&addr).serve(service);
+
+    println!("App is running on: {}", addr);
+    if let Err(err) = server.await {
+        eprintln!("Server error: {}", err);
+    }
+}

examples/example.rs renamed to examples/simple_example.rs

@@ -1,4 +1,4 @@
-use crate::Multipart;
+use crate::{Constraints, Multipart};
 use hyper::{header, Request};
 
 /// An extension trait which extends [`hyper::Request<Body>`](https://docs.rs/hyper/0.13.5/hyper/struct.Request.html)
@@ -10,6 +10,13 @@ pub trait RequestMultipartExt {
     ///
     /// This method fails if the request body is not `multipart/form-data` and in this case, you could send a `400 Bad Request` status.
     fn into_multipart(self) -> routerify::Result<Multipart>;
+
+    /// Convert the request body to [`Multipart`](./struct.Multipart.html) if the `content-type` is `multipart/form-data` with some [constraints](./struct.Constraints.html).
+    ///
+    /// # Errors
+    ///
+    /// This method fails if the request body is not `multipart/form-data` and in this case, you could send a `400 Bad Request` status.
+    fn into_multipart_with_constraints(self, constraints: Constraints) -> routerify::Result<Multipart>;
 }
 
 impl RequestMultipartExt for Request<hyper::Body> {
@@ -26,4 +33,18 @@ impl RequestMultipartExt for Request<hyper::Body> {
             Err(routerify::Error::new("Content-Type is not multipart/form-data"))
         }
     }
+
+    fn into_multipart_with_constraints(self, constraints: Constraints) -> routerify::Result<Multipart> {
+        let boundary = self
+            .headers()
+            .get(header::CONTENT_TYPE)
+            .and_then(|val| val.to_str().ok())
+            .and_then(|val| multer::parse_boundary(val).ok());
+
+        if let Some(boundary) = boundary {
+            Ok(Multipart::new_with_constraints(self.into_body(), boundary, constraints))
+        } else {
+            Err(routerify::Error::new("Content-Type is not multipart/form-data"))
+        }
+    }
 }

src/ext.rs

@@ -68,8 +68,72 @@
 //!     }
 //! }
 //! ```
+//!
+//! ## Prevent DDoS Attack
+//!
+//! This crate also provides some APIs to prevent potential `DDoS attack` with fine grained control. It's recommended to add some constraints
+//! on field (specially text field) size to avoid potential `DDoS attack` from attackers running the server out of memory.
+//!
+//! An example:
+//!
+//! ```no_run
+//! use hyper::{Body, Request, Response, Server, StatusCode};
+//! use routerify::{Error, Router, RouterService};
+//! // Import `RequestMultipartExt` trait and other types.
+//! use routerify_multipart::{RequestMultipartExt, Constraints, SizeLimit};
+//! use std::net::SocketAddr;
+//!
+//! // A handler to handle file uploading in `multipart/form-data` content-type.
+//! async fn file_upload_handler(req: Request<Body>) -> Result<Response<Body>, Error> {
+//!     // Create some constraints to be applied to the fields to prevent DDoS attack.
+//!      let constraints = Constraints::new()
+//!          // We only accept `my_text_field` and `my_file_field` fields,
+//!          // For any unknown field, we will throw an error.
+//!          .allowed_fields(vec!["my_text_field", "my_file_field"])
+//!          .size_limit(
+//!              SizeLimit::new()
+//!                  // Set 15mb as size limit for the whole stream body.
+//!                  .whole_stream(15 * 1024 * 1024)
+//!                  // Set 10mb as size limit for all fields.
+//!                  .per_field(10 * 1024 * 1024)
+//!                  // Set 30kb as size limit for our text field only.
+//!                  .for_field("my_text_field", 30 * 1024),
+//!           );
+//!
+//!     // Convert the request into a `Multipart` instance.
+//!     let mut multipart = match req.into_multipart_with_constraints(constraints) {
+//!         Ok(m) => m,
+//!         Err(err) => {
+//!             return Ok(Response::builder()
+//!                 .status(StatusCode::BAD_REQUEST)
+//!                 .body(Body::from(format!("Bad Request: {}", err)))
+//!                 .unwrap());
+//!         }
+//!     };
+//!
+//!     // Iterate over the fields.
+//!     while let Some(mut field) = multipart.next_field().await.map_err(|err| Error::wrap(err))? {
+//!         // Get the field name.
+//!         let name = field.name();
+//!         // Get the field's filename if provided in "Content-Disposition" header.
+//!         let file_name = field.file_name();
+//!
+//!         println!("Name {:?}, File name: {:?}", name, file_name);
+//!
+//!         // Process the field data chunks e.g. store them in a file.
+//!         while let Some(chunk) = field.chunk().await.map_err(|err| Error::wrap(err))? {
+//!             // Do something with field chunk.
+//!             println!("Chunk: {:?}", chunk);
+//!         }
+//!     }
+//!
+//!     Ok(Response::new(Body::from("Success")))
+//! }
+//! ```
+//!
+//! Please refer [`Constraints`](./struct.Constraints.html) for more info.
 
 pub use self::ext::RequestMultipartExt;
-pub use multer::{Field, Multipart};
+pub use multer::{Constraints, Error, Field, Multipart, SizeLimit};
 
 mod ext;