It is not safe to read all stream body to memory without a max size limit.

[Quons]

fasthttp/http.go

Line 427 in 57b9352

_, err := copyZeroAlloc(bodyBuf, req.bodyStream)

I think it would be safe to stop reading the request body into memory and return an error when it exceeds the maximum request body size. Otherwise, it may lead to an out-of-memory (OOM) error when the request body is too large.

[erikdubbelboer]

Users using body streaming on the server side should use Request.BodyStream() to get an io.Reader and read as much as they need. It's not recommended to to call Request.Body() to then get the full body. I agree that we should probably maybe do something here to prevent this. I'm open to a pull request or suggestion on how to fix this.

[byte0o]

If you want to add a read data size limit to the Body function, can you abandon the Body function and only support BodyStream? BodyStream can satisfy the caller's control of the read data size.

[gaby]

@byte0o That would be a backward incompatible change, right?

[byte0o]

@gab Yes, you can first mark the Body function as deprecated

[dojutsu-user]

@erikdubbelboer
I would like to start contributing to this.
From the above discussion, it seems that we can mark the Body() function as deprecated but it is getting used at many places in the same file. We should probably replace those also, right?

[erikdubbelboer]

@dojutsu-user maybe you can have a look at changing it so that Request.Body() prints a warning using Server.Logger (so only when used in a server context).

[dojutsu-user]

@erikdubbelboer We'll have to inject the Server.Logger instance in the request, right?
Currently, there's no logger that I can fine in the req.

[erikdubbelboer]

Yeah but keep it private, we don't want to expose that.