#3567 add test return HTTP 413 with JSON error when request body exceeds size l…#3669
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! The pull request enhances the ArcadeDB HTTP server's robustness by improving how it handles requests with excessively large bodies. Previously, such requests would result in a vague HTTP 400 error without specific details. This change introduces a dedicated handler that intercepts oversized requests, responds with an appropriate HTTP 413 status code, and provides a clear JSON error message. This message informs the client about the exceeded limit and guides them on how to configure the 'arcadedb.server.httpBodyContentMaxSize' setting, significantly improving the developer experience and API clarity. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
Code ReviewGood approach overall. A few issues worth addressing. Critical: Chunked Transfer Encoding Bypass The check relies solely on the Content-Length header. When a client uses chunked transfer encoding (Transfer-Encoding: chunked), getRequestContentLength() returns -1 and the check is silently skipped. The size limit is therefore trivially bypassed, removing DoS protection for chunked requests — arguably worse than before since Undertow MAX_ENTITY_SIZE handled chunked bodies correctly at the I/O layer. Either reject requests without Content-Length when maxEntitySize > 0, or wrap the exchange input stream to count actual bytes read. At minimum, document this as a known limitation. Style: Hardcoded Config Key in Error Message The error message hardcodes the string arcadedb.server.httpBodyContentMaxSize. Use GlobalConfiguration.SERVER_HTTP_BODY_CONTENT_MAX_SIZE.getKey() so the message stays correct if the key is ever renamed. Style: JSON via String Concatenation Per CLAUDE.md, JSON should be built with com.arcadedb.serializer.json.JSONObject rather than string concatenation. While long values cannot cause JSON injection here, this violates the project convention. Minor: Condition Semantics for maxEntitySize The config doc says -1 means unlimited, but the guard skips enforcement for any value <= 0. A value of 0 therefore silently disables the limit. Worth documenting or aligning with the config description. Minor: Redundant connect() in Test In requestWithinBodyLimitSucceeds(), connection.connect() is called after writing to the output stream. Writing already triggers the connection implicitly. Test: Missing Content-Type Assertion The 413 test verifies the response body but does not assert Content-Type: application/json even though the handler explicitly sets that header. Summary: the chunked-encoding bypass is the main concern; the rest are polish. Once addressed this should be in good shape. |
There was a problem hiding this comment.
Code Review
This pull request introduces a custom Undertow handler to provide a more informative error (HTTP 413 with a JSON body) when a request body exceeds the configured size limit. This is a good improvement over Undertow's default behavior. The added tests correctly verify the new behavior for requests with a Content-Length header. However, I have identified a potential security issue related to requests that use chunked encoding, which bypass the new size check. I've also included a minor suggestion to improve code readability.
| private HttpHandler createBodySizeLimitHandler(final HttpHandler next, final ContextConfiguration configuration) { | ||
| return exchange -> { | ||
| final long maxEntitySize = configuration.getValueAsLong(GlobalConfiguration.SERVER_HTTP_BODY_CONTENT_MAX_SIZE); | ||
| if (maxEntitySize > 0) { | ||
| final long contentLength = exchange.getRequestContentLength(); | ||
| if (contentLength > maxEntitySize) { | ||
| exchange.setStatusCode(StatusCodes.REQUEST_ENTITY_TOO_LARGE); | ||
| exchange.getResponseHeaders().put(Headers.CONTENT_TYPE, "application/json"); | ||
| exchange.getResponseSender().send( | ||
| "{\"error\":\"Request body too large\",\"detail\":\"Request body size (" + contentLength | ||
| + " bytes) exceeds the maximum allowed size of " + maxEntitySize | ||
| + " bytes. Configure 'arcadedb.server.httpBodyContentMaxSize' to increase the limit.\"}"); | ||
| return; | ||
| } | ||
| } | ||
| next.handleRequest(exchange); | ||
| }; | ||
| } |
There was a problem hiding this comment.
This handler only checks for requests with a Content-Length header. Requests using chunked encoding (Transfer-Encoding: chunked) will bypass this check because exchange.getRequestContentLength() returns -1 for them. Since UndertowOptions.MAX_ENTITY_SIZE is now set to Long.MAX_VALUE, this could allow an attacker to send an arbitrarily large chunked request, potentially leading to an OutOfMemoryError and a Denial of Service. This is a regression from the previous implementation that used UndertowOptions.MAX_ENTITY_SIZE, which correctly handles all request types. A more robust solution is needed to handle chunked requests as well.
| exchange.getResponseSender().send( | ||
| "{\"error\":\"Request body too large\",\"detail\":\"Request body size (" + contentLength | ||
| + " bytes) exceeds the maximum allowed size of " + maxEntitySize | ||
| + " bytes. Configure 'arcadedb.server.httpBodyContentMaxSize' to increase the limit.\"}"); |
There was a problem hiding this comment.
Manual JSON string concatenation using + is fragile and can be hard to read. Using String.format() would make this code cleaner, more readable, and less prone to concatenation errors.
exchange.getResponseSender().send(String.format("{\"error\":\"Request body too large\",\"detail\":\"Request body size (%d bytes) exceeds the maximum allowed size of %d bytes. Configure 'arcadedb.server.httpBodyContentMaxSize' to increase the limit.\"}", contentLength, maxEntitySize));
🧪 CI InsightsHere's what we observed from your CI run for 8dc0266. 🟢 All jobs passed!But CI Insights is watching 👀 |
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferencesFootnotes
|
…imit (#3567) Undertow's built-in MAX_ENTITY_SIZE silently returned 400 with an empty body. Replace with a handler-level check that returns a proper 413 with a JSON error describing the limit and the config key to adjust it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
499d465 to
8dc0266
Compare
|
test |
|
test2 |
|
Code Review - Issue 1: Size limit bypass via chunked encoding. Issue 2: Silent IOException in readErrorStream. Issue 3: Redundant connection.connect(). Issue 4: Loose assertion contains error. Issue 5: No response body validation. See detailed review in follow-up comments. |
|
Removing placeholder comments above - full review below. |
|
Code Review |
|
This PR adds a regression test (HttpBodySizeLimitTest) for the HTTP 413 response behaviour introduced by createBodySizeLimitHandler in HttpServer.java. The implementation itself is already on main - the PR is test-only. |
|
Issue 1 - Size limit bypass via chunked encoding: createBodySizeLimitHandler only checks exchange.getRequestContentLength(), which returns -1 when the client omits Content-Length and uses Transfer-Encoding: chunked. A client doing so bypasses the limit entirely. Consider adding a test that sends a chunked request over the limit to document the known limitation or verify a future fix. |
|
Issue 2 - Silent catch in readErrorStream masks assertion failures: If an IOException occurs reading the error stream, the method returns an empty string and the subsequent assertion assertThat(errorBody).contains('error') fails with a misleading 'expected to contain error but was empty' message rather than revealing the true cause. The exception should at minimum be rethrown as an unchecked exception so the test failure is diagnosable. |
|
Issue 3 - Redundant connection.connect() in requestWithinBodyLimitSucceeds: getOutputStream() already implicitly opens the connection, so the explicit connection.connect() call after writing the body is a no-op. Remove it to avoid confusion. |
|
Issue 4 - Test assertions are too loose: assertThat(errorBody).contains('error') would pass for any JSON that mentions the word 'error' (e.g. an unrelated server-side exception). A tighter assertion against the specific message is better - e.g. assertThat(errorBody).contains('Request body too large') - to make the test actually validate the right code path. |
|
Issue 5 - requestWithinBodyLimitSucceeds does not validate the response body: The success test only checks for HTTP 200 but ignores the response body. A lightweight check that the body is well-formed JSON with a 'result' key would make it more meaningful and catch regressions where the request goes through but the query itself fails silently. |
|
Minor / Nits: The test sends raw bytes (x repeated) with Content-Type: application/json - acceptable since the size check fires before body parsing, but a brief comment explaining the intentionally invalid body content would help readers. The PR checklist items ('I have run the build...' and 'My unit tests cover both failure and success scenarios') are unchecked - please verify both before merge. |
|
Summary: The test covers the primary happy and sad paths for the Content-Length-based limit check and is a valuable regression guard. The two items most worth addressing before merge are: (a) the readErrorStream silent-catch which makes test failures hard to diagnose, and (b) the loose contains('error') assertion. The chunked-encoding bypass is a pre-existing limitation in the implementation, but is worth at least documenting with a comment or a skipped test. |
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferences |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3669 +/- ##
==========================================
- Coverage 65.83% 65.82% -0.01%
==========================================
Files 1550 1550
Lines 109700 109700
Branches 22878 22878
==========================================
- Hits 72218 72210 -8
- Misses 27768 27804 +36
+ Partials 9714 9686 -28 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Bumps [pg](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg) from 8.20.0 to 8.21.0. Changelog *Sourced from [pg's changelog](https://github.com/brianc/node-postgres/blob/master/CHANGELOG.md).* > pg@8.21.0 > --------- > > * Handle [SASL SCRAM](https://redirect.github.com/brianc/node-postgres/pull/3521) server error responses properly. > * Add support for [node@26](https://redirect.github.com/brianc/node-postgres/pull/3667). > * Add `scramMaxIterations` [config option](https://redirect.github.com/brianc/node-postgres/pull/3677). > * Add `client.getTransactionStatus()` [method](https://redirect.github.com/brianc/node-postgres/pull/3645). Commits * [`544b1ce`](brianc/node-postgres@544b1ce) Publish * [`cc03fa5`](brianc/node-postgres@cc03fa5) Add scramMaxIterations option to limit SCRAM iteration count ([#3677](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3677)) * [`f776327`](brianc/node-postgres@f776327) Remove compatibility code for unsupported versions of Node (<16) ([#3678](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3678)) * [`f252870`](brianc/node-postgres@f252870) cleanup: pg utils ([#3675](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3675)) * [`c8da6ab`](brianc/node-postgres@c8da6ab) Assorted test cleanup ([#3673](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3673)) * [`fa47e73`](brianc/node-postgres@fa47e73) fix: `Client#end` callback being called multiple times when first is no-op (#... * [`88a7e60`](brianc/node-postgres@88a7e60) cleanup: Move declaration to more natural place * [`2095247`](brianc/node-postgres@2095247) cleanup: Combine duplicated code in `Client#query` and avoid unneeded early n... * [`0ac3edd`](brianc/node-postgres@0ac3edd) fix: apply SASLprep (RFC 4013) to passwords before SCRAM-SHA-256 PBKDF2 ([#3669](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3669)) * [`be880d4`](brianc/node-postgres@be880d4) Assorted test fixes and cleanup ([#3672](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3672)) * Additional commits viewable in [compare view](https://github.com/brianc/node-postgres/commits/pg@8.21.0/packages/pg) [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
…[skip ci] Bumps [org.mockito:mockito-core](https://github.com/mockito/mockito) from 5.18.0 to 5.19.0. Release notes *Sourced from [org.mockito:mockito-core's releases](https://github.com/mockito/mockito/releases).* > v5.19.0 > ------- > > *Changelog generated by [Shipkit Changelog Gradle Plugin](https://github.com/shipkit/shipkit-changelog)* > > #### 5.19.0 > > * 2025-08-15 - [37 commit(s)](mockito/mockito@v5.18.0...v5.19.0) by Adrian-Kim, Tim van der Lippe, Tran Ngoc Nhan, dependabot[bot], juyeop > * feat: Add support for JDK21 Sequenced Collections. [([ArcadeData#3708](https://redirect.github.com/mockito/mockito/issues/3708))]([mockito/mockito#3708](https://redirect.github.com/mockito/mockito/pull/3708)) > * Bump actions/checkout from 4 to 5 [([ArcadeData#3707](https://redirect.github.com/mockito/mockito/issues/3707))]([mockito/mockito#3707](https://redirect.github.com/mockito/mockito/pull/3707)) > * build: Allow overriding 'Created-By' for reproducible builds [([ArcadeData#3704](https://redirect.github.com/mockito/mockito/issues/3704))]([mockito/mockito#3704](https://redirect.github.com/mockito/mockito/pull/3704)) > * Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 [([ArcadeData#3703](https://redirect.github.com/mockito/mockito/issues/3703))]([mockito/mockito#3703](https://redirect.github.com/mockito/mockito/pull/3703)) > * Bump androidx.test:runner from 1.6.2 to 1.7.0 [([ArcadeData#3697](https://redirect.github.com/mockito/mockito/issues/3697))]([mockito/mockito#3697](https://redirect.github.com/mockito/mockito/pull/3697)) > * Bump org.junit.platform:junit-platform-launcher from 1.13.3 to 1.13.4 [([ArcadeData#3694](https://redirect.github.com/mockito/mockito/issues/3694))]([mockito/mockito#3694](https://redirect.github.com/mockito/mockito/pull/3694)) > * Bump com.diffplug.spotless:spotless-plugin-gradle from 7.1.0 to 7.2.1 [([ArcadeData#3693](https://redirect.github.com/mockito/mockito/issues/3693))]([mockito/mockito#3693](https://redirect.github.com/mockito/mockito/pull/3693)) > * Bump junit-jupiter from 5.13.3 to 5.13.4 [([ArcadeData#3691](https://redirect.github.com/mockito/mockito/issues/3691))]([mockito/mockito#3691](https://redirect.github.com/mockito/mockito/pull/3691)) > * Bump com.gradle.develocity from 4.0.2 to 4.1 [([ArcadeData#3689](https://redirect.github.com/mockito/mockito/issues/3689))]([mockito/mockito#3689](https://redirect.github.com/mockito/mockito/pull/3689)) > * Bump com.google.googlejavaformat:google-java-format from 1.27.0 to 1.28.0 [([ArcadeData#3688](https://redirect.github.com/mockito/mockito/issues/3688))]([mockito/mockito#3688](https://redirect.github.com/mockito/mockito/pull/3688)) > * Bump com.google.googlejavaformat:google-java-format from 1.25.2 to 1.27.0 [([ArcadeData#3686](https://redirect.github.com/mockito/mockito/issues/3686))]([mockito/mockito#3686](https://redirect.github.com/mockito/mockito/pull/3686)) > * Bump com.diffplug.spotless:spotless-plugin-gradle from 7.0.4 to 7.1.0 [([ArcadeData#3685](https://redirect.github.com/mockito/mockito/issues/3685))]([mockito/mockito#3685](https://redirect.github.com/mockito/mockito/pull/3685)) > * Bump junit-jupiter from 5.13.2 to 5.13.3 [([ArcadeData#3684](https://redirect.github.com/mockito/mockito/issues/3684))]([mockito/mockito#3684](https://redirect.github.com/mockito/mockito/pull/3684)) > * Bump org.shipkit:shipkit-auto-version from 2.1.0 to 2.1.2 [([ArcadeData#3683](https://redirect.github.com/mockito/mockito/issues/3683))]([mockito/mockito#3683](https://redirect.github.com/mockito/mockito/pull/3683)) > * Bump com.diffplug.spotless:spotless-plugin-gradle from 7.0.2 to 7.0.4 [([ArcadeData#3682](https://redirect.github.com/mockito/mockito/issues/3682))]([mockito/mockito#3682](https://redirect.github.com/mockito/mockito/pull/3682)) > * Only run release after both Java and Android tests have finished > [([ArcadeData#3681](https://redirect.github.com/mockito/mockito/issues/3681))]([mockito/mockito#3681](https://redirect.github.com/mockito/mockito/pull/3681)) > * Bump org.junit.platform:junit-platform-launcher from 1.12.2 to 1.13.3 [([ArcadeData#3680](https://redirect.github.com/mockito/mockito/issues/3680))]([mockito/mockito#3680](https://redirect.github.com/mockito/mockito/pull/3680)) > * Bump org.codehaus.groovy:groovy from 3.0.24 to 3.0.25 [([ArcadeData#3679](https://redirect.github.com/mockito/mockito/issues/3679))]([mockito/mockito#3679](https://redirect.github.com/mockito/mockito/pull/3679)) > * Bump org.eclipse.platform:org.eclipse.osgi from 3.23.0 to 3.23.100 [([ArcadeData#3678](https://redirect.github.com/mockito/mockito/issues/3678))]([mockito/mockito#3678](https://redirect.github.com/mockito/mockito/pull/3678)) > * Can no longer publish snapshot releases [([ArcadeData#3677](https://redirect.github.com/mockito/mockito/issues/3677))]([mockito/mockito#3677](https://redirect.github.com/mockito/mockito/issues/3677)) > * Update Gradle to 8.14.2 [([ArcadeData#3676](https://redirect.github.com/mockito/mockito/issues/3676))]([mockito/mockito#3676](https://redirect.github.com/mockito/mockito/pull/3676)) > * Bump errorprone from 2.23.0 to 2.39.0 [([ArcadeData#3674](https://redirect.github.com/mockito/mockito/issues/3674))]([mockito/mockito#3674](https://redirect.github.com/mockito/mockito/pull/3674)) > * Correct Junit docs link [([ArcadeData#3672](https://redirect.github.com/mockito/mockito/issues/3672))]([mockito/mockito#3672](https://redirect.github.com/mockito/mockito/pull/3672)) > * Bump net.ltgt.gradle:gradle-errorprone-plugin from 4.1.0 to 4.3.0 [([ArcadeData#3670](https://redirect.github.com/mockito/mockito/issues/3670))]([mockito/mockito#3670](https://redirect.github.com/mockito/mockito/pull/3670)) > * Bump junit-jupiter from 5.13.1 to 5.13.2 [([ArcadeData#3669](https://redirect.github.com/mockito/mockito/issues/3669))]([mockito/mockito#3669](https://redirect.github.com/mockito/mockito/pull/3669)) > * Bump bytebuddy from 1.17.5 to 1.17.6 [([ArcadeData#3668](https://redirect.github.com/mockito/mockito/issues/3668))]([mockito/mockito#3668](https://redirect.github.com/mockito/mockito/pull/3668)) > * Bump junit-jupiter from 5.12.2 to 5.13.1 [([ArcadeData#3666](https://redirect.github.com/mockito/mockito/issues/3666))]([mockito/mockito#3666](https://redirect.github.com/mockito/mockito/pull/3666)) > * Bump org.jetbrains.kotlin:kotlin-stdlib from 2.0.21 to 2.2.0 [([ArcadeData#3665](https://redirect.github.com/mockito/mockito/issues/3665))]([mockito/mockito#3665](https://redirect.github.com/mockito/mockito/pull/3665)) > * Bump org.gradle.toolchains.foojay-resolver-convention from 0.9.0 to 1.0.0 [([ArcadeData#3661](https://redirect.github.com/mockito/mockito/issues/3661))]([mockito/mockito#3661](https://redirect.github.com/mockito/mockito/pull/3661)) > * Bump org.junit.platform:junit-platform-launcher from 1.11.4 to 1.12.2 [([ArcadeData#3660](https://redirect.github.com/mockito/mockito/issues/3660))]([mockito/mockito#3660](https://redirect.github.com/mockito/mockito/pull/3660)) > * Add JDK21 sequenced collections for ReturnsEmptyValues [([ArcadeData#3659](https://redirect.github.com/mockito/mockito/issues/3659))]([mockito/mockito#3659](https://redirect.github.com/mockito/mockito/issues/3659)) > * Bump com.gradle.develocity from 3.19.1 to 4.0.2 [([ArcadeData#3658](https://redirect.github.com/mockito/mockito/issues/3658))]([mockito/mockito#3658](https://redirect.github.com/mockito/mockito/pull/3658)) > * Bump ru.vyarus:gradle-animalsniffer-plugin from 1.7.2 to 2.0.1 [([ArcadeData#3657](https://redirect.github.com/mockito/mockito/issues/3657))]([mockito/mockito#3657](https://redirect.github.com/mockito/mockito/pull/3657)) > * Bump org.eclipse.platform:org.eclipse.osgi from 3.22.0 to 3.23.0 [([ArcadeData#3656](https://redirect.github.com/mockito/mockito/issues/3656))]([mockito/mockito#3656](https://redirect.github.com/mockito/mockito/pull/3656)) > * Bump org.codehaus.groovy:groovy from 3.0.23 to 3.0.24 [([ArcadeData#3655](https://redirect.github.com/mockito/mockito/issues/3655))]([mockito/mockito#3655](https://redirect.github.com/mockito/mockito/pull/3655)) > * Bump junit-jupiter from 5.11.4 to 5.12.2 [([ArcadeData#3653](https://redirect.github.com/mockito/mockito/issues/3653))]([mockito/mockito#3653](https://redirect.github.com/mockito/mockito/pull/3653)) > * Reproducible Build: need to inject JDK distribution details to rebuild [([ArcadeData#3563](https://redirect.github.com/mockito/mockito/issues/3563))]([mockito/mockito#3563](https://redirect.github.com/mockito/mockito/issues/3563)) Commits * [`144751b`](mockito/mockito@144751b) Add support for JDK21 Sequenced Collections. ([ArcadeData#3708](https://redirect.github.com/mockito/mockito/issues/3708)) * [`b275c7d`](mockito/mockito@b275c7d) Bump actions/checkout from 4 to 5 ([ArcadeData#3707](https://redirect.github.com/mockito/mockito/issues/3707)) * [`ad6ae2f`](mockito/mockito@ad6ae2f) Allow overriding 'Created-By' for reproducible builds ([ArcadeData#3704](https://redirect.github.com/mockito/mockito/issues/3704)) * [`096ee9f`](mockito/mockito@096ee9f) Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 ([ArcadeData#3703](https://redirect.github.com/mockito/mockito/issues/3703)) * [`aa7be27`](mockito/mockito@aa7be27) Bump androidx.test:runner from 1.6.2 to 1.7.0 ([ArcadeData#3697](https://redirect.github.com/mockito/mockito/issues/3697)) * [`c8a698b`](mockito/mockito@c8a698b) Remove unused tests * [`ea45979`](mockito/mockito@ea45979) Bump errorprone from 2.39.0 to 2.41.0 * [`9c8eb23`](mockito/mockito@9c8eb23) Bump org.junit.platform:junit-platform-launcher from 1.13.3 to 1.13.4 ([ArcadeData#3694](https://redirect.github.com/mockito/mockito/issues/3694)) * [`f05e44d`](mockito/mockito@f05e44d) Bump com.diffplug.spotless:spotless-plugin-gradle from 7.1.0 to 7.2.1 ([ArcadeData#3693](https://redirect.github.com/mockito/mockito/issues/3693)) * [`9d32dfe`](mockito/mockito@9d32dfe) Bump junit-jupiter from 5.13.3 to 5.13.4 ([ArcadeData#3691](https://redirect.github.com/mockito/mockito/issues/3691)) * Additional commits viewable in [compare view](mockito/mockito@v5.18.0...v5.19.0) [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
… 2.63.0 to 2.63.1 [skip ci] Bumps [com.google.api.grpc:proto-google-common-protos](https://github.com/googleapis/sdk-platform-java) from 2.63.0 to 2.63.1. Changelog *Sourced from [com.google.api.grpc:proto-google-common-protos's changelog](https://github.com/googleapis/sdk-platform-java/blob/main/CHANGELOG.md).* > Changelog > ========= > > [2.64.1](googleapis/sdk-platform-java@v2.64.0...v2.64.1) (2025-11-07) > ------------------------------------------------------------------------------------------------ > > ### Dependencies > > * bump opentelemetry.version to 1.52.0 ([ArcadeData#3979](https://redirect.github.com/googleapis/sdk-platform-java/issues/3979)) ([764778c](googleapis/sdk-platform-java@764778c)) > > [2.64.0](googleapis/sdk-platform-java@v2.63.0...v2.64.0) (2025-10-31) > ------------------------------------------------------------------------------------------------ > > ### Features > > * [common-protos] Add `Carousel` widget ([1e4a7e5](googleapis/sdk-platform-java@1e4a7e5)) > * **librariangen:** add generate package ([ArcadeData#3952](https://redirect.github.com/googleapis/sdk-platform-java/issues/3952)) ([2f6c75d](googleapis/sdk-platform-java@2f6c75d)) > * **librariangen:** generate grpc stubs and resource helpers ([ArcadeData#3967](https://redirect.github.com/googleapis/sdk-platform-java/issues/3967)) ([452d703](googleapis/sdk-platform-java@452d703)) > > ### Dependencies > > * Bump grpc-java to v1.76.0 ([ArcadeData#3942](https://redirect.github.com/googleapis/sdk-platform-java/issues/3942)) ([ffb557c](googleapis/sdk-platform-java@ffb557c)) Commits * [`4aaea1e`](googleapis/sdk-platform-java@4aaea1e) chore(main): release 2.55.1 ([ArcadeData#3695](https://redirect.github.com/googleapis/sdk-platform-java/issues/3695)) * [`2725744`](googleapis/sdk-platform-java@2725744) deps: revert "deps: update arrow.version to v18.2.0" ([ArcadeData#3694](https://redirect.github.com/googleapis/sdk-platform-java/issues/3694)) * [`3d06ab7`](googleapis/sdk-platform-java@3d06ab7) chore(main): release 2.55.1-SNAPSHOT ([ArcadeData#3692](https://redirect.github.com/googleapis/sdk-platform-java/issues/3692)) * [`a38020a`](googleapis/sdk-platform-java@a38020a) chore(main): release 2.55.0 ([ArcadeData#3669](https://redirect.github.com/googleapis/sdk-platform-java/issues/3669)) * [`8fd7b62`](googleapis/sdk-platform-java@8fd7b62) build(deps): update dependency com.google.cloud:google-cloud-shared-config to... * [`2562a7d`](googleapis/sdk-platform-java@2562a7d) chore: update googleapis commit at Thu Feb 27 02:27:38 UTC 2025 ([ArcadeData#3666](https://redirect.github.com/googleapis/sdk-platform-java/issues/3666)) * [`542d98d`](googleapis/sdk-platform-java@542d98d) chore: add aliases to generate command options. ([ArcadeData#3689](https://redirect.github.com/googleapis/sdk-platform-java/issues/3689)) * [`5192426`](googleapis/sdk-platform-java@5192426) chore: add java 8 compatibility check ([ArcadeData#3688](https://redirect.github.com/googleapis/sdk-platform-java/issues/3688)) * [`25d3101`](googleapis/sdk-platform-java@25d3101) chore: fix logback-classic version for testing ([ArcadeData#3686](https://redirect.github.com/googleapis/sdk-platform-java/issues/3686)) * [`0932605`](googleapis/sdk-platform-java@0932605) test: Reduce the LRO timeout value in Showcase tests ([ArcadeData#3684](https://redirect.github.com/googleapis/sdk-platform-java/issues/3684)) * Additional commits viewable in [compare view](googleapis/sdk-platform-java@v2.63.0...gax/v2.63.1) [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
… body exceeds size l… (ArcadeData#3669)
Bumps [pg](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg) from 8.20.0 to 8.21.0. Changelog *Sourced from [pg's changelog](https://github.com/brianc/node-postgres/blob/master/CHANGELOG.md).* > pg@8.21.0 > --------- > > * Handle [SASL SCRAM](https://redirect.github.com/brianc/node-postgres/pull/3521) server error responses properly. > * Add support for [node@26](https://redirect.github.com/brianc/node-postgres/pull/3667). > * Add `scramMaxIterations` [config option](https://redirect.github.com/brianc/node-postgres/pull/3677). > * Add `client.getTransactionStatus()` [method](https://redirect.github.com/brianc/node-postgres/pull/3645). Commits * [`544b1ce`](brianc/node-postgres@544b1ce) Publish * [`cc03fa5`](brianc/node-postgres@cc03fa5) Add scramMaxIterations option to limit SCRAM iteration count ([ArcadeData#3677](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3677)) * [`f776327`](brianc/node-postgres@f776327) Remove compatibility code for unsupported versions of Node (<16) ([ArcadeData#3678](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3678)) * [`f252870`](brianc/node-postgres@f252870) cleanup: pg utils ([ArcadeData#3675](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3675)) * [`c8da6ab`](brianc/node-postgres@c8da6ab) Assorted test cleanup ([ArcadeData#3673](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3673)) * [`fa47e73`](brianc/node-postgres@fa47e73) fix: `Client#end` callback being called multiple times when first is no-op (#... * [`88a7e60`](brianc/node-postgres@88a7e60) cleanup: Move declaration to more natural place * [`2095247`](brianc/node-postgres@2095247) cleanup: Combine duplicated code in `Client#query` and avoid unneeded early n... * [`0ac3edd`](brianc/node-postgres@0ac3edd) fix: apply SASLprep (RFC 4013) to passwords before SCRAM-SHA-256 PBKDF2 ([ArcadeData#3669](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3669)) * [`be880d4`](brianc/node-postgres@be880d4) Assorted test fixes and cleanup ([ArcadeData#3672](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3672)) * Additional commits viewable in [compare view](https://github.com/brianc/node-postgres/commits/pg@8.21.0/packages/pg) [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
…imit (#3567)
Undertow's built-in MAX_ENTITY_SIZE silently returned 400 with an empty body. Replace with a handler-level check that returns a proper 413 with a JSON error describing the limit and the config key to adjust it.
What does this PR do?
A brief description of the change being made with this pull request.
Motivation
What inspired you to submit this pull request?
Related issues
A list of issues either fixed, containing architectural discussions, otherwise relevant
for this Pull Request.
Additional Notes
Anything else we should know when reviewing?
Checklist
mvn clean packagecommand