fix: handle node-fetch memory leak

rowanmanning · rowanmanning · commit 6716eca8b4fe · 2024-04-26T09:17:58.000+01:00
node-fetch has a memory leak if you don't read the body of a response. Within the library we don't ever know which fetch implementaton we're using so we've had to test for a property (`pipe`) that only exists on the node-fetch response body and not native fetch. If we're throwing an error and we see that the response body has this method, then we pipe the body into a black hole stream. This means that the body is unusable if there was an error but we can document this limitation. I'd rather not mess with trying to read/parse data from the response body if possible as it adds a lot of complexity and I don't want to add _too_ many cases to deal with node-fetch when we'll be moving to native-fetch relatively soon. See-Also: https://financialtimes.atlassian.net/browse/CPREL-1047
diff --git a/packages/fetch-error-handler/README.md b/packages/fetch-error-handler/README.md
@@ -48,6 +48,9 @@ Some of the options below result in more errors being caught, you can weigh this
 
 In all of the APIs below, if the response `ok` property is `false`, i.e. when the status code is `400` or greater, then errors will be thrown.
 
+> [!WARNING]
+> If you're using node-fetch then it's important to read the body of the request because of a [known memory leak](https://github.com/node-fetch/node-fetch/issues/83). If an error is thrown then we automatically drain the response body stream but, if the request is successful, you'll need to do this yourself.
+
 ### Wrap the fetch function
 
 This is the recommended API as this will allow you to handle the most errors (even DNS and timeout errors) correctly:
diff --git a/packages/fetch-error-handler/lib/create-handler.js b/packages/fetch-error-handler/lib/create-handler.js
@@ -3,13 +3,20 @@ const {
 	OperationalError,
 	UpstreamServiceError
 } = require('@dotcom-reliability-kit/errors');
+const { Writable } = require('node:stream');
 
 /**
  * @typedef {object} ErrorHandlerOptions
  * @property {string} [upstreamSystemCode]
  *     The system code of the upstream system that the `fetch` makes a request to.
  */
 
+/**
+ * @typedef {object} FetchResponseBody
+ * @property {(stream: Writable) => void} [pipe]
+ *     A function to pipe a response body stream.
+ */
+
 /**
  * @typedef {object} FetchResponse
  * @property {boolean} ok
@@ -18,6 +25,8 @@ const {
  *     The response HTTP status code.
  * @property {string} url
  *     The URL of the response.
+ * @property {FetchResponseBody} body
+ *     A representation of the response body.
  */
 
 /* eslint-disable jsdoc/valid-types */
@@ -48,140 +57,160 @@ function createFetchErrorHandler(options = {}) {
 	return async function handleFetchErrors(input) {
 		let response = input;
 
-		// If input is a promise, resolve it. We also handle
-		// more errors this way.
-		if (isPromise(input)) {
-			try {
-				response = await input;
-			} catch (/** @type {any} */ error) {
-				const errorCode = error?.code || error?.cause?.code;
-
-				// Handle DNS errors
-				if (errorCode === 'ENOTFOUND') {
-					const hostname = error?.hostname || error?.cause?.hostname;
-					const dnsLookupErrorMessage = `Cound not resolve DNS entry${
-						hostname ? ` for host ${hostname}` : ''
-					}`;
-					throw new OperationalError({
-						code: 'FETCH_DNS_LOOKUP_ERROR',
-						message: dnsLookupErrorMessage,
-						relatesToSystems,
-						cause: error
-					});
-				}
+		// This outer try/catch is used to make sure that we're able to read
+		// the response body in the case of an error. This is important because
+		// otherwise node-fetch will leak memory. See the (still not fixed) bug:
+		// https://github.com/node-fetch/node-fetch/issues/83
+		try {
+			// If input is a promise, resolve it. We also handle
+			// more errors this way.
+			if (isPromise(input)) {
+				try {
+					response = await input;
+				} catch (/** @type {any} */ error) {
+					const errorCode = error?.code || error?.cause?.code;
 
-				// Handle standardised abort and timeout errors
-				const abortErrorMessage =
-					'The fetch was aborted before the upstream service could respond';
-				if (error?.name === 'AbortError' || error?.name === 'TimeoutError') {
-					throw new OperationalError({
-						code:
-							error.name === 'AbortError'
-								? 'FETCH_ABORT_ERROR'
-								: 'FETCH_TIMEOUT_ERROR',
-						message: abortErrorMessage,
-						relatesToSystems,
-						cause: error
-					});
-				}
+					// Handle DNS errors
+					if (errorCode === 'ENOTFOUND') {
+						const hostname = error?.hostname || error?.cause?.hostname;
+						const dnsLookupErrorMessage = `Cound not resolve DNS entry${
+							hostname ? ` for host ${hostname}` : ''
+						}`;
+						throw new OperationalError({
+							code: 'FETCH_DNS_LOOKUP_ERROR',
+							message: dnsLookupErrorMessage,
+							relatesToSystems,
+							cause: error
+						});
+					}
 
-				// Handle non-standardised timeout errors
-				if (error?.name === 'FetchError' && error?.type === 'request-timeout') {
-					throw new OperationalError({
-						code: 'FETCH_TIMEOUT_ERROR',
-						message: abortErrorMessage,
-						relatesToSystems,
-						cause: error
-					});
-				}
+					// Handle standardised abort and timeout errors
+					const abortErrorMessage =
+						'The fetch was aborted before the upstream service could respond';
+					if (error?.name === 'AbortError' || error?.name === 'TimeoutError') {
+						throw new OperationalError({
+							code:
+								error.name === 'AbortError'
+									? 'FETCH_ABORT_ERROR'
+									: 'FETCH_TIMEOUT_ERROR',
+							message: abortErrorMessage,
+							relatesToSystems,
+							cause: error
+						});
+					}
 
-				// Handle socket hangups
-				if (
-					errorCode === 'ECONNRESET' ||
-					error?.cause?.name === 'SocketError'
-				) {
-					throw new UpstreamServiceError({
-						code: 'FETCH_SOCKET_HANGUP_ERROR',
-						message: 'The connection to the upstream service was terminated',
-						relatesToSystems,
-						cause: error
-					});
+					// Handle non-standardised timeout errors
+					if (
+						error?.name === 'FetchError' &&
+						error?.type === 'request-timeout'
+					) {
+						throw new OperationalError({
+							code: 'FETCH_TIMEOUT_ERROR',
+							message: abortErrorMessage,
+							relatesToSystems,
+							cause: error
+						});
+					}
+
+					// Handle socket hangups
+					if (
+						errorCode === 'ECONNRESET' ||
+						error?.cause?.name === 'SocketError'
+					) {
+						throw new UpstreamServiceError({
+							code: 'FETCH_SOCKET_HANGUP_ERROR',
+							message: 'The connection to the upstream service was terminated',
+							relatesToSystems,
+							cause: error
+						});
+					}
+
+					// We don't know what to do with this error so
+					// we throw it as-is
+					throw error;
 				}
+			}
 
-				// We don't know what to do with this error so
-				// we throw it as-is
-				throw error;
+			// Check whether the value we were given is a valid response object
+			if (!isFetchResponse(response)) {
+				// This is not an operational error because the invalid
+				// input is highly likely to be a programmer error
+				throw Object.assign(
+					new TypeError(
+						'Fetch handler must be called with a `fetch` response object or a `fetch` promise'
+					),
+					{ code: 'FETCH_ERROR_HANDLER_INVALID_INPUT' }
+				);
 			}
-		}
 
-		// Check whether the value we were given is a valid response object
-		if (!isFetchResponse(response)) {
-			// This is not an operational error because the invalid
-			// input is highly likely to be a programmer error
-			throw Object.assign(
-				new TypeError(
-					'Fetch handler must be called with a `fetch` response object or a `fetch` promise'
-				),
-				{ code: 'FETCH_ERROR_HANDLER_INVALID_INPUT' }
-			);
-		}
+			// If the response isn't OK, we start throwing errors
+			if (!response.ok) {
+				// Parse the response URL so we can use the hostname in error messages
+				let responseHostName = 'unknown';
+				if (typeof response.url === 'string') {
+					try {
+						const url = new URL(response.url);
+						responseHostName = url.hostname;
+					} catch (_) {
+						// We ignore this error because having a valid URL isn't essential – it
+						// just helps debug if we do have one. If someone's using a weird non-standard
+						// `fetch` implementation or mocking then this error could be fired
+					}
+				}
 
-		// If the response isn't OK, we start throwing errors
-		if (!response.ok) {
-			// Parse the response URL so we can use the hostname in error messages
-			let responseHostName = 'unknown';
-			if (typeof response.url === 'string') {
-				try {
-					const url = new URL(response.url);
-					responseHostName = url.hostname;
-				} catch (_) {
-					// We ignore this error because having a valid URL isn't essential – it
-					// just helps debug if we do have one. If someone's using a weird non-standard
-					// `fetch` implementation or mocking then this error could be fired
+				// Some common error options which we'll include in any that are thrown
+				const baseErrorOptions = {
+					message: `The upstream service at "${responseHostName}" responded with a ${response.status} status`,
+					relatesToSystems,
+					upstreamUrl: response.url,
+					upstreamStatusCode: response.status
+				};
+
+				// If the back end responds with a `4xx` error then it normally indicates
+				// that something is wrong with the _current_ system. Maybe we're sending data
+				// in an invalid format or our API key is invalid. For this we throw a generic
+				// `500` error to indicate an issue with our system.
+				if (response.status >= 400 && response.status < 500) {
+					throw new HttpError(
+						Object.assign(
+							{ code: 'FETCH_CLIENT_ERROR', statusCode: 500 },
+							baseErrorOptions
+						)
+					);
 				}
-			}
 
-			// Some common error options which we'll include in any that are thrown
-			const baseErrorOptions = {
-				message: `The upstream service at "${responseHostName}" responded with a ${response.status} status`,
-				relatesToSystems,
-				upstreamUrl: response.url,
-				upstreamStatusCode: response.status
-			};
-
-			// If the back end responds with a `4xx` error then it normally indicates
-			// that something is wrong with the _current_ system. Maybe we're sending data
-			// in an invalid format or our API key is invalid. For this we throw a generic
-			// `500` error to indicate an issue with our system.
-			if (response.status >= 400 && response.status < 500) {
+				// If the back end responds with a `5xx` error then it normally indicates
+				// that something is wrong with the _upstream_ system. For this we can output
+				// an upstream service error and attribute the error to this system.
+				if (response.status >= 500 && response.status < 600) {
+					throw new UpstreamServiceError(
+						Object.assign({ code: 'FETCH_SERVER_ERROR' }, baseErrorOptions)
+					);
+				}
+
+				// If we get here then it's unclear what's wrong – `response.ok` is false but the status
+				// isn't in the 400–599 range. We throw a generic 500 error so that we have visibility.
 				throw new HttpError(
 					Object.assign(
-						{ code: 'FETCH_CLIENT_ERROR', statusCode: 500 },
+						{ code: 'FETCH_UNKNOWN_ERROR', statusCode: 500 },
 						baseErrorOptions
 					)
 				);
 			}
 
-			// If the back end responds with a `5xx` error then it normally indicates
-			// that something is wrong with the _upstream_ system. For this we can output
-			// an upstream service error and attribute the error to this system.
-			if (response.status >= 500 && response.status < 600) {
-				throw new UpstreamServiceError(
-					Object.assign({ code: 'FETCH_SERVER_ERROR' }, baseErrorOptions)
-				);
+			return response;
+		} catch (/** @type {any} */ finalError) {
+			// If the response body has a pipe method then we're dealing
+			// with a node-fetch body. In this case we need to read the
+			// body so we don't introduce a memory leak.
+			if (
+				isFetchResponse(response) &&
+				typeof response.body.pipe === 'function'
+			) {
+				response.body.pipe(new BlackHoleStream());
 			}
-
-			// If we get here then it's unclear what's wrong – `response.ok` is false but the status
-			// isn't in the 400–599 range. We throw a generic 500 error so that we have visibility.
-			throw new HttpError(
-				Object.assign(
-					{ code: 'FETCH_UNKNOWN_ERROR', statusCode: 500 },
-					baseErrorOptions
-				)
-			);
+			throw finalError;
 		}
-
-		return response;
 	};
 }
 
@@ -214,4 +243,16 @@ function isFetchResponse(value) {
 	return true;
 }
 
+/**
+ * Writable stream to pipe data into the void.
+ */
+class BlackHoleStream extends Writable {
+	/**
+	 * @override
+	 */
+	_write(chunk, encoding, done) {
+		done();
+	}
+}
+
 module.exports = createFetchErrorHandler;
diff --git a/packages/fetch-error-handler/test/unit/lib/create-handler.spec.js b/packages/fetch-error-handler/test/unit/lib/create-handler.spec.js
