encode · alex-oleshkevich · Jun 6, 2023 · Jun 10, 2023 · Jun 22, 2023 · Jun 22, 2023
diff --git a/starlette/applications.py b/starlette/applications.py
@@ -61,6 +61,7 @@ def __init__(
         on_startup: typing.Optional[typing.Sequence[typing.Callable]] = None,
         on_shutdown: typing.Optional[typing.Sequence[typing.Callable]] = None,
         lifespan: typing.Optional[Lifespan["AppType"]] = None,
+        request_max_size: int = 2621440,  # 2.5mb
     ) -> None:
         # The lifespan context function is a newer style that replaces
         # on_startup / on_shutdown handlers. Use one or the other, not both.
@@ -78,6 +79,7 @@ def __init__(
         )
         self.user_middleware = [] if middleware is None else list(middleware)
         self.middleware_stack: typing.Optional[ASGIApp] = None
+        self.request_max_size = request_max_size
 self._url = url 
 self._url = url 
 
     def build_middleware_stack(self) -> ASGIApp:
         debug = self.debug
@@ -117,6 +119,7 @@ def url_path_for(self, __name: str, **path_params: typing.Any) -> URLPath:
 
     async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
         scope["app"] = self
+        scope["request_max_size"] = self.request_max_size
         if self.middleware_stack is None:
             self.middleware_stack = self.build_middleware_stack()
         await self.middleware_stack(scope, receive, send)

diff --git a/starlette/routing.py b/starlette/routing.py
@@ -17,7 +17,7 @@
 from starlette.middleware import Middleware
 from starlette.requests import Request
 from starlette.responses import PlainTextResponse, RedirectResponse
-from starlette.types import ASGIApp, Lifespan, Receive, Scope, Send
+from starlette.types import ASGIApp, Lifespan, Message, Receive, Scope, Send
 from starlette.websockets import WebSocket, WebSocketClose
 
 
@@ -205,12 +205,14 @@ def __init__(
         methods: typing.Optional[typing.List[str]] = None,
         name: typing.Optional[str] = None,
         include_in_schema: bool = True,
+        request_max_size: typing.Optional[int] = None,
     ) -> None:
         assert path.startswith("/"), "Routed paths must start with '/'"
         self.path = path
         self.endpoint = endpoint
         self.name = get_name(endpoint) if name is None else name
         self.include_in_schema = include_in_schema
+        self.request_max_size = request_max_size
 
         endpoint_handler = endpoint
         while isinstance(endpoint_handler, functools.partial):
@@ -273,7 +275,25 @@ async def handle(self, scope: Scope, receive: Receive, send: Send) -> None:
                 )
             await response(scope, receive, send)
         else:
-            await self.app(scope, receive, send)
+            bytes_read = 0
+            max_body_size = self.request_max_size or scope.get("request_max_size")
+
+            async def receive_wrapper() -> Message:
+                nonlocal bytes_read
+                message = await receive()
+                if message["type"] != "http.request" or max_body_size is None:
+                    return message
+
+                body = message.get("body", b"")
+                bytes_read += len(body)
+                if bytes_read > max_body_size:
+                    raise HTTPException(
+                        status_code=413, detail="Request Entity Too Large"
+                    )
+
+                return message
+
+            await self.app(scope, receive_wrapper, send)
 
     def __eq__(self, other: typing.Any) -> bool:
         return (

diff --git a/tests/test_applications.py b/tests/test_applications.py
@@ -207,6 +207,26 @@ def test_500(test_client_factory):
     assert response.json() == {"detail": "Server Error"}
 
 
+def test_413(test_client_factory):
+    async def read_view(request):
+        content = await request.body()
+        return JSONResponse(content.decode())
+
+    app = Starlette(
+        request_max_size=10,  # 10 bytes
+        routes=[Route("/", endpoint=read_view, methods=["POST"])],
+    )
+
+    client = test_client_factory(app, raise_server_exceptions=True)
+    response = client.post("/", data=b"youshallnotpass")
+    assert response.status_code == 413
+    assert response.text == "Request Entity Too Large"
+
+    response = client.post("/", data=b"ok")
+    assert response.status_code == 200
+    assert response.text == '"ok"'
+
+
 def test_websocket_raise_websocket_exception(client):
     with client.websocket_connect("/ws-raise-websocket") as session:
         response = session.receive()

diff --git a/tests/test_routing.py b/tests/test_routing.py
@@ -1125,3 +1125,40 @@ async def startup() -> None:
             ...  # pragma: nocover
 
         router.on_event("startup")(startup)
+
+
+def test_request_body_size_limit(test_client_factory):
+    async def read_view(request):
+        content = await request.body()
+        return JSONResponse(content.decode())
+
+    app = Starlette(
+        routes=[Route("/", endpoint=read_view, methods=["POST"], request_max_size=10)],
+    )
+
+    client = test_client_factory(app, raise_server_exceptions=True)
+    response = client.post("/", data=b"youshallnotpass")
+    assert response.status_code == 413
+    assert response.text == "Request Entity Too Large"
+
+    response = client.post("/", data=b"ok")
+    assert response.status_code == 200
+    assert response.text == '"ok"'
+
+
+def test_request_body_size_limit_route_has_higher_precedense(test_client_factory):
+    async def read_view(request):
+        content = await request.body()
+        return JSONResponse(content.decode())
+
+    app = Starlette(
+        request_max_size=5,
+        routes=[Route("/", endpoint=read_view, methods=["POST"], request_max_size=24)],
+    )
+
+    # app caps at 5 bytes, route has 24 byte limit
+    # payload of size 12 bytes should pass
+    client = test_client_factory(app, raise_server_exceptions=True)
+    response = client.post("/", data=b"youshallpass")  # 12 bytes
+    assert response.status_code == 200
+    assert response.text == '"youshallpass"'