Implement max inbound payload size

takahe/settings.py

@@ -312,6 +312,8 @@ CORS_ORIGIN_WHITELIST = SETUP.CORS_HOSTS
 CORS_ALLOW_CREDENTIALS = True
 CORS_PREFLIGHT_MAX_AGE = 604800
 
+JSONLD_MAX_SIZE = 1024 * 50  # 50 KB
+
 CSRF_TRUSTED_ORIGINS = SETUP.CSRF_HOSTS
 
 MEDIA_URL = SETUP.MEDIA_URL

users/views/activitypub.py

@@ -120,6 +120,9 @@ class Inbox(View):
     """
 
     def post(self, request, handle=None):
+        # Reject bodies that are unfeasibly big
+        if len(request.body) > settings.JSONLD_MAX_SIZE:
+            return HttpResponseBadRequest("Payload size too large")
         # Load the LD
         document = canonicalise(json.loads(request.body), include_security=True)
         # Find the Identity by the actor on the incoming item