Add Content-Length size check in Rack::Multipart::Parser

th4s1s · ioquatix · commit c42e35799506 · 2026-04-01T16:42:03.000+13:00
Compare the declared `Content-Length` against a configurable maximum (`PARSER_BYTESIZE_LIMIT`) before any parsing begins.

If it exceeds the limit, raise an exception immediately.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ All notable changes to this project will be documented in this file. For info on
 - [CVE-2026-34826](https://github.com/advisories/GHSA-x8cg-fq8g-mxfx) Multipart byte range processing allows denial of service via excessive overlapping ranges.
 - [CVE-2026-34830](https://github.com/advisories/GHSA-qv7j-4883-hwh7) `Rack::Sendfile` header-based `X-Accel-Mapping` regex injection enables unauthorized `X-Accel-Redirect`.
 - [CVE-2026-34785](https://github.com/advisories/GHSA-h2jq-g4cq-5ppq) `Rack::Static` prefix matching can expose unintended files under the static root.
+- [CVE-2026-34829](https://github.com/advisories/GHSA-8vqr-qjwx-82mw) Multipart parsing without `Content-Length` header allows unbounded chunked file uploads.
 
 ## [2.2.22] - 2026-02-16
 
diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb
@@ -41,6 +41,10 @@ class Parser
       BUFFERED_UPLOAD_BYTESIZE_LIMIT = env_int.call("RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT", 16 * 1024 * 1024)
       private_constant :BUFFERED_UPLOAD_BYTESIZE_LIMIT
 
+      bytesize_limit = env_int.call("RACK_MULTIPART_PARSER_BYTESIZE_LIMIT", 10 * 1024 * 1024 * 1024)
+      PARSER_BYTESIZE_LIMIT = bytesize_limit > 0 ? bytesize_limit : nil
+      private_constant :PARSER_BYTESIZE_LIMIT
+
       class BoundedIO # :nodoc:
         def initialize(io, content_length)
           @io             = io
@@ -98,6 +102,10 @@ def self.parse(io, content_length, content_type, tmpfile, bufsize, qp)
         boundary = parse_boundary content_type
         return EMPTY unless boundary
 
+        if PARSER_BYTESIZE_LIMIT && content_length && content_length > PARSER_BYTESIZE_LIMIT
+          raise EOFError, "multipart Content-Length #{content_length} exceeds limit of #{PARSER_BYTESIZE_LIMIT} bytes"
+        end
+
         io = BoundedIO.new(io, content_length) if content_length
         outbuf = String.new
 
@@ -218,6 +226,7 @@ def initialize(boundary, tempfile, bufsize, query_parser)
         @mime_index = 0
         @body_retained = nil
         @retained_size = 0
+        @total_bytes_read = (0 if PARSER_BYTESIZE_LIMIT)
         @collector = Collector.new tempfile
 
         @sbuf = StringScanner.new("".dup)
@@ -229,6 +238,12 @@ def initialize(boundary, tempfile, bufsize, query_parser)
 
       def on_read(content)
         handle_empty_content!(content)
+        if @total_bytes_read
+          @total_bytes_read += content.bytesize
+          if @total_bytes_read > PARSER_BYTESIZE_LIMIT
+            raise EOFError, "multipart upload exceeds limit of #{PARSER_BYTESIZE_LIMIT} bytes"
+          end
+        end
         @sbuf.concat content
         run_parser
       end
diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb
@@ -20,6 +20,19 @@ def multipart_file(name)
     File.join(File.dirname(__FILE__), "multipart", name.to_s)
   end
 
+
+  def with_multipart_limit(limit)
+    previous = Rack::Multipart::Parser.send(:const_get, :PARSER_BYTESIZE_LIMIT)
+    begin
+      Rack::Multipart::Parser.send(:remove_const, :PARSER_BYTESIZE_LIMIT)
+      Rack::Multipart::Parser.const_set(:PARSER_BYTESIZE_LIMIT, limit)
+      yield
+    ensure
+      Rack::Multipart::Parser.send(:remove_const, :PARSER_BYTESIZE_LIMIT)
+      Rack::Multipart::Parser.const_set(:PARSER_BYTESIZE_LIMIT, previous)
+    end
+  end
+
   it "return nil if content type is not multipart" do
     env = Rack::MockRequest.env_for("/",
             "CONTENT_TYPE" => 'application/x-www-form-urlencoded')
@@ -49,6 +62,49 @@ def multipart_file(name)
     }.must_raise EOFError
   end
 
+  it "raises an exception if Content-Length exceeds total bytesize limit" do
+    with_multipart_limit(1024) do
+      env = Rack::MockRequest.env_for("/",
+        "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
+        "CONTENT_LENGTH" => "2048",
+        :input => StringIO.new("--AaB03x--\r\n"))
+
+      lambda {
+        Rack::Multipart.parse_multipart(env)
+      }.must_raise(EOFError)
+    end
+  end
+
+  it "allows requests within the total bytesize limit" do
+    with_multipart_limit(1024 * 1024) do
+      env = Rack::MockRequest.env_for("/", multipart_fixture(:text))
+      params = Rack::Multipart.parse_multipart(env)
+      params["submit-name"].must_equal "Larry"
+    end
+  end
+
+  it "skips total bytesize check when there is no limit" do
+    with_multipart_limit(nil) do
+      env = Rack::MockRequest.env_for("/", multipart_fixture(:text))
+      params = Rack::Multipart.parse_multipart(env)
+      params["submit-name"].must_equal "Larry"
+    end
+  end
+
+  it "enforces total bytesize limit during streaming when Content-Length is absent" do
+    with_multipart_limit(1) do
+      # Even without Content-Length, the streaming check catches oversized uploads
+      fixture = multipart_fixture(:text)
+      fixture.delete("CONTENT_LENGTH")
+      env = Rack::MockRequest.env_for("/", fixture)
+      env.delete("CONTENT_LENGTH")
+
+      lambda {
+        Rack::Multipart.parse_multipart(env)
+      }.must_raise EOFError
+    end
+  end
+
   it "parses multipart content when content type is present but disposition is not" do
     env = Rack::MockRequest.env_for("/", multipart_fixture(:content_type_and_no_disposition))
     params = Rack::Multipart.parse_multipart(env)
