api/handler: use http.MaxBytesReader and buffer pool (#1415)

* api/handler: use http.MaxBytesReader

protect api handlers from OOM cases

Signed-off-by: Vasiliy Tolstov <v.tolstov@unistack.org>

api/handler/event/event.go

@@ -4,7 +4,6 @@ package event
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"path"
 	"regexp"
@@ -15,10 +14,15 @@ import (
 	"github.com/micro/go-micro/v2/api/handler"
 	proto "github.com/micro/go-micro/v2/api/proto"
 	"github.com/micro/go-micro/v2/util/ctx"
+	"github.com/oxtoacart/bpool"
+)
+
+var (
+	bufferPool = bpool.NewSizedBufferPool(1024, 8)
 )
 
 type event struct {
-	options handler.Options
+	opts handler.Options
 }
 
 var (
@@ -64,11 +68,18 @@ func evRoute(ns, p string) (string, string) {
 }
 
 func (e *event) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	bsize := handler.DefaultMaxRecvSize
+	if e.opts.MaxRecvSize > 0 {
+		bsize = e.opts.MaxRecvSize
+	}
+
+	r.Body = http.MaxBytesReader(w, r.Body, bsize)
+
 	// request to topic:event
 	// create event
 	// publish to topic
 
-	topic, action := evRoute(e.options.Namespace, r.URL.Path)
+	topic, action := evRoute(e.opts.Namespace, r.URL.Path)
 
 	// create event
 	ev := &proto.Event{
@@ -96,16 +107,18 @@ func (e *event) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		bytes, _ := json.Marshal(r.URL.Query())
 		ev.Data = string(bytes)
 	} else {
-		b, err := ioutil.ReadAll(r.Body)
-		if err != nil {
+		// Read body
+		buf := bufferPool.Get()
+		defer bufferPool.Put(buf)
+		if _, err := buf.ReadFrom(r.Body); err != nil {
 			http.Error(w, err.Error(), 500)
 			return
 		}
-		ev.Data = string(b)
+		ev.Data = buf.String()
 	}
 
 	// get client
-	c := e.options.Service.Client()
+	c := e.opts.Service.Client()
 
 	// create publication
 	p := c.NewMessage(topic, ev)
@@ -123,6 +136,6 @@ func (e *event) String() string {
 
 func NewHandler(opts ...handler.Option) handler.Handler {
 	return &event{
-		options: handler.NewOptions(opts...),
+		opts: handler.NewOptions(opts...),
 	}
 }