fix(orchestrator): makes the bodyParser limit configurable. (#2802)

[lholmquist]

Cherry pick of PR #2802

Related to JIRA https://redhat.atlassian.net/browse/RHDHSUPP-362

• fix(orchestrator): makes the bodyParser limit configurable.

A customer was having an issue where the workflows content length was over the 100kb limit. This adds a configurable value to make the content lenght larger

fixes: https://redhat.atlassian.net/browse/RHDHSUPP-351

• squash: add changeset

• squash: add changeset

• squash: add the contentLengthLimit to the common config

• squash: only add to the global

• squash: add comment

Hey, I just made a Pull Request!

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (1)

1. Default express.json limit unchanged 📎 Requirement gap ☼ Reliability

Description

contentLengthLimit is optional, so when it is not set the JSON body parser keeps Express' default
limit (100kb/102400 bytes), meaning payloads >102400 bytes can still return HTTP 413. This may not
satisfy the requirement that workflow trigger requests >102400 bytes must not fail unless operators
explicitly configure the new setting.

Code

workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts[R204-216]

+  const contentLengthLimit = config.getOptionalString(
+    'orchestrator.contentLengthLimit',
+  );
+  /**
+   * Set the content length limit for the requests.
+   * Defaults to 102400 bytes (100kb)
+   *
+   * There is a possiblity that some workflows will have a very large payload, which could cause a 413 error.
+   * Increasing this value will allow larger payloads to be processed.
+   *
+   */
+  router.use(express.json({ limit: contentLengthLimit }));
  router.use(permissionsIntegrationRouter);

Relevance

⭐ Low

Team already merged same approach: optional limit, default stays 100kb when unset (PR #2802).

PR-#2802

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

PR Compliance ID 1 requires orchestrator workflow trigger requests with payloads >102400 bytes to
not fail with HTTP 413; however the new code only applies a configurable limit if
orchestrator.contentLengthLimit is set, otherwise express.json({ limit: undefined }) falls back
to the default 100kb/102400 bytes limit.

Orchestrator workflow trigger requests must not fail with HTTP 413 for payloads > 102400 bytes
workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts[204-216]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The new `orchestrator.contentLengthLimit` setting is optional, so when it is not configured the server keeps the default request body limit (100kb/102400 bytes), which can still trigger HTTP 413 for payloads >102400 bytes.

## Issue Context
Compliance requires orchestrator workflow trigger requests with payloads larger than 102400 bytes to not fail with HTTP 413.

## Fix Focus Areas
- workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts[204-216]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Global body limit DoS 🐞 Bug ⛨ Security

Description

createBackendRouter applies orchestrator.contentLengthLimit via a global `express.json({ limit
})` middleware, so increasing it raises the maximum accepted JSON payload size for every JSON route
in this router. If configured too high, large request bodies can be fully buffered into memory
across multiple endpoints, increasing memory/CPU exhaustion (DoS) risk beyond just workflow
execution.

Code

workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts[R204-215]

+  const contentLengthLimit = config.getOptionalString(
+    'orchestrator.contentLengthLimit',
+  );
+  /**
+   * Set the content length limit for the requests.
+   * Defaults to 102400 bytes (100kb)
+   *
+   * There is a possiblity that some workflows will have a very large payload, which could cause a 413 error.
+   * Increasing this value will allow larger payloads to be processed.
+   *
+   */
+  router.use(express.json({ limit: contentLengthLimit }));

Relevance

⭐ Low

Similar warning to scope limit per-route was explicitly rejected in PR #2802 review discussion.

PR-#2802

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The PR installs express.json({ limit: contentLengthLimit }) at the router level (before all
OpenAPI handlers), which makes the configured limit apply broadly. The generated OpenAPI definition
shows multiple /v2/workflows/... POST endpoints that accept application/json request bodies,
meaning the increased limit affects more than a single endpoint.

workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts[204-218]
workspaces/orchestrator/plugins/orchestrator-common/src/generated/api/definition.ts[2-5]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`express.json({ limit: contentLengthLimit })` is installed globally for the orchestrator router. If `orchestrator.contentLengthLimit` is set large, all JSON endpoints in this router will accept and buffer larger payloads, increasing DoS risk.

### Issue Context
The intent is to support larger workflow execution payloads. However, the current placement affects all JSON POST endpoints under `/v2/workflows/...` (and any other JSON routes on this router), not just the workflow execution endpoint.

### Fix Focus Areas
- Apply the larger limit only to the minimal set of routes that need it (e.g., the execute/retrigger endpoints), keeping other endpoints at the default.
- Add a reasonable maximum cap (or at least validate and warn) to prevent accidental extremely large limits.

- workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts[204-218]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rhdh-qodo-merge]

Review Summary by Qodo

Make orchestrator bodyParser content length limit configurable

🐞 Bug fix ✨ Enhancement

Walkthroughs

Description

• Makes bodyParser content length limit configurable in orchestrator backend
• Adds contentLengthLimit configuration option to handle large workflow payloads
• Defaults to 102400 bytes (100kb) with ability to increase via config
• Includes configuration documentation and changeset entries

Diagram

flowchart LR
  A["Request with large payload"] -->|"bodyParser.json()"| B["contentLengthLimit config"]
  B -->|"if configured"| C["Use custom limit"]
  B -->|"if not configured"| D["Use default 100kb"]
  C --> E["Process request"]
  D --> E

Loading

File Changes

1. workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts ✨ Enhancement +12/-1

Configure bodyParser limit in router setup

• Retrieves contentLengthLimit configuration value from orchestrator config
• Passes limit parameter to express.json() middleware
• Adds detailed comment explaining the purpose and default behavior
• Resolves 413 errors for large workflow payloads

workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts

---

2. workspaces/orchestrator/plugins/orchestrator-common/config.d.ts ✨ Enhancement +5/-0

Add contentLengthLimit to config interface

• Adds contentLengthLimit optional string property to orchestrator config interface
• Includes JSDoc comment documenting the default value of 102400 bytes
• Enables type-safe configuration access

workspaces/orchestrator/plugins/orchestrator-common/config.d.ts

---

3. workspaces/orchestrator/.changeset/purple-eagles-share.md 📝 Documentation +5/-0

Changeset for backend bodyParser fix

• Creates changeset entry for orchestrator-backend package
• Documents patch-level fix for configurable bodyParser limit

workspaces/orchestrator/.changeset/purple-eagles-share.md

---

View more (2)

4. workspaces/orchestrator/.changeset/strong-pillows-yawn.md 📝 Documentation +5/-0

Changeset for common config update

• Creates changeset entry for orchestrator-common package
• Documents patch-level chore for new config value

workspaces/orchestrator/.changeset/strong-pillows-yawn.md

---

5. workspaces/orchestrator/app-config.yaml 📝 Documentation +2/-0

Add example configuration for contentLengthLimit

• Adds commented example configuration for contentLengthLimit
• Shows example value of 10mb for reference
• Includes explanatory comment about default 100kb limit

workspaces/orchestrator/app-config.yaml

---