✨ Make max_response_size configurable

Though it would be useful to also have limits based on response type and
what commands are currently running, that's out of scope for now.

_Please note:_ this only limits the size per response.  It does _not_
limit how many unhandled responses may be stored on the responses hash.

Author: nevans

lib/net/imap.rb

@@ -234,6 +234,10 @@ module Net
   #
   # Use paginated or limited versions of commands whenever possible.
   #
+  # Use Config#max_response_size to impose a limit on incoming server responses
+  # as they are being read.  <em>This is especially important for untrusted
+  # servers.</em>
+  #
   # Use #add_response_handler to handle responses after each one is received.
   # Use the +response_handlers+ argument to ::new to assign response handlers
   # before the receiver thread is started.  Use #extract_responses,
@@ -853,9 +857,17 @@ class << self
     # Seconds to wait until an IDLE response is received.
     # Delegates to {config.idle_response_timeout}[rdoc-ref:Config#idle_response_timeout].
 
+    ##
+    # :attr_accessor: max_response_size
+    #
+    # The maximum allowed server response size, in bytes.
+    # Delegates to {config.max_response_size}[rdoc-ref:Config#max_response_size].
+
     # :stopdoc:
     def open_timeout;           config.open_timeout            end
     def idle_response_timeout;  config.idle_response_timeout   end
+    def max_response_size;      config.max_response_size       end
+    def max_response_size=(val) config.max_response_size = val end
     # :startdoc:
 
     # The hostname this client connected to

lib/net/imap/config.rb

@@ -268,6 +268,40 @@ def self.[](config)
         false, :when_capabilities_cached, true
       ]
 
+      # The maximum allowed server response size.  When +nil+, there is no limit
+      # on response size.
+      #
+      # The default value (512 MiB, since +v0.5.7+) is <em>very high</em> and
+      # unlikely to be reached.  A _much_ lower value should be used with
+      # untrusted servers (for example, when connecting to a user-provided
+      # hostname).  When using a lower limit, message bodies should be fetched
+      # in chunks rather than all at once.
+      #
+      # <em>Please Note:</em> this only limits the size per response.  It does
+      # not prevent a flood of individual responses and it does not limit how
+      # many unhandled responses may be stored on the responses hash.  See
+      # Net::IMAP@Unbounded+memory+use.
+      #
+      # Socket reads are limited to the maximum remaining bytes for the current
+      # response: max_response_size minus the bytes that have already been read.
+      # When the limit is reached, or reading a +literal+ _would_ go over the
+      # limit, ResponseTooLargeError is raised and the connection is closed.
+      #
+      # Note that changes will not take effect immediately, because the receiver
+      # thread may already be waiting for the next response using the previous
+      # value.  Net::IMAP#noop can force a response and enforce the new setting
+      # immediately.
+      #
+      # ==== Versioned Defaults
+      #
+      # Net::IMAP#max_response_size <em>was added in +v0.2.5+ and +v0.3.9+ as an
+      # attr_accessor, and in +v0.4.20+ and +v0.5.7+ as a delegator to this
+      # config attribute.</em>
+      #
+      # * original: +nil+ <em>(no limit)</em>
+      # * +0.5+: 512 MiB
+      attr_accessor :max_response_size, type: Integer?
+
       # Controls the behavior of Net::IMAP#responses when called without any
       # arguments (+type+ or +block+).
       #
@@ -446,6 +480,7 @@ def defaults_hash
         idle_response_timeout: 5,
         sasl_ir: true,
         enforce_logindisabled: true,
+        max_response_size: 512 << 20, # 512 MiB
         responses_without_block: :warn,
         parser_use_deprecated_uidplus_data: :up_to_max_size,
         parser_max_deprecated_uidplus_data_size: 100,
@@ -459,6 +494,7 @@ def defaults_hash
         sasl_ir: false,
         responses_without_block: :silence_deprecation_warning,
         enforce_logindisabled: false,
+        max_response_size: nil,
         parser_use_deprecated_uidplus_data: true,
         parser_max_deprecated_uidplus_data_size: 10_000,
       ).freeze
@@ -474,6 +510,7 @@ def defaults_hash
 
       version_defaults[0.5r] = Config[0.4r].dup.update(
         enforce_logindisabled: true,
+        max_response_size: 512 << 20, # 512 MiB
         responses_without_block: :warn,
         parser_use_deprecated_uidplus_data: :up_to_max_size,
         parser_max_deprecated_uidplus_data_size: 100,

lib/net/imap/config/attr_type_coercion.rb

@@ -18,6 +18,8 @@ def attr_accessor(attr, type: nil)
             super(attr)
             AttrTypeCoercion.attr_accessor(attr, type: type)
           end
+
+          module_function def Integer? = NilOrInteger
         end
         private_constant :Macros
 
@@ -39,6 +41,8 @@ def self.attr_accessor(attr, type: nil)
           define_method :"#{attr}?" do send attr end if type == Boolean
         end
 
+        NilOrInteger = safe{->val { Integer val unless val.nil? }}
+
         Enum = ->(*enum) {
           enum     = safe{enum}
           expected = -"one of #{enum.map(&:inspect).join(", ")}"

lib/net/imap/response_reader.rb

@@ -52,7 +52,7 @@ def read_limit(limit = nil)
         [limit, max_response_remaining!].compact.min
       end
 
-      def max_response_size      = 512 << 20 # TODO: Config#max_response_size
+      def max_response_size      = client.max_response_size
       def max_response_remaining = max_response_size &.- bytes_read
       def response_too_large?    = max_response_size &.< min_response_size
       def min_response_size      = bytes_read + min_response_remaining

test/net/imap/test_config.rb

@@ -427,4 +427,17 @@ def duck.to_r   = 1/11111
     assert_same grandchild, greatgrandchild.parent
   end
 
+  test "#max_response_size=(Integer | nil)" do
+    config = Config.new
+
+    config.max_response_size = 10_000
+    assert_equal 10_000, config.max_response_size
+
+    config.max_response_size = nil
+    assert_nil config.max_response_size
+
+    assert_raise(ArgumentError) do config.max_response_size = "invalid" end
+    assert_raise(TypeError) do config.max_response_size = :invalid  end
+  end
+
 end

test/net/imap/test_imap_max_response_size.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require "net/imap"
+require "test/unit"
+require_relative "fake_server"
+
+class IMAPMaxResponseSizeTest < Test::Unit::TestCase
+  include Net::IMAP::FakeServer::TestHelper
+
+  def setup
+    Net::IMAP.config.reset
+    @do_not_reverse_lookup = Socket.do_not_reverse_lookup
+    Socket.do_not_reverse_lookup = true
+    @threads = []
+  end
+
+  def teardown
+    if !@threads.empty?
+      assert_join_threads(@threads)
+    end
+  ensure
+    Socket.do_not_reverse_lookup = @do_not_reverse_lookup
+  end
+
+  test "#max_response_size reading literals" do
+    with_fake_server(preauth: true) do |server, imap|
+      imap.max_response_size = 12_345 + 30
+      server.on("NOOP") do |resp|
+        resp.untagged("1 FETCH (BODY[] {12345}\r\n" + "a" * 12_345 + ")")
+        resp.done_ok
+      end
+      imap.noop
+      assert_equal "a" * 12_345, imap.responses("FETCH").first.message
+    end
+  end
+
+  test "#max_response_size closes connection for too long line" do
+    Net::IMAP.config.max_response_size = 10
+    run_fake_server_in_thread(preauth: false, ignore_io_error: true) do |server|
+      assert_raise_with_message(
+        Net::IMAP::ResponseTooLargeError, /exceeds max_response_size .*\b10B\b/
+      ) do
+        with_client("localhost", port: server.port) do
+          fail "should not get here (greeting longer than max_response_size)"
+        end
+      end
+    end
+  end
+
+  test "#max_response_size closes connection for too long literal" do
+    Net::IMAP.config.max_response_size = 1<<20
+    with_fake_server(preauth: false, ignore_io_error: true) do |server, client|
+      client.max_response_size = 50
+      server.on("NOOP") do |resp|
+        resp.untagged("1 FETCH (BODY[] {1000}\r\n" + "a" * 1000 + ")")
+      end
+      assert_raise_with_message(
+        Net::IMAP::ResponseTooLargeError,
+        /\d+B read \+ 1000B literal.* exceeds max_response_size .*\b50B\b/
+      ) do
+        client.noop
+        fail "should not get here (FETCH literal longer than max_response_size)"
+      end
+    end
+  end
+
+end

test/net/imap/test_response_reader.rb

@@ -11,6 +11,7 @@ def setup
 
   class FakeClient
     def config = @config ||= Net::IMAP.config.new
+    def max_response_size = config.max_response_size
   end
 
   def literal(str) = "{#{str.bytesize}}\r\n#{str}"
@@ -49,22 +50,14 @@ def literal(str) = "{#{str.bytesize}}\r\n#{str}"
     assert_equal "",           rcvr.read_response_buffer.to_str
   end
 
-  class LimitedResponseReader < Net::IMAP::ResponseReader
-    attr_reader :max_response_size
-    def initialize(*args, max_response_size:)
-      super(*args)
-      @max_response_size = max_response_size
-    end
-  end
-
   test "#read_response_buffer with max_response_size" do
     client = FakeClient.new
-    max_response_size = 10
+    client.config.max_response_size = 10
     under = "+ 3456\r\n"
     exact = "+ 345678\r\n"
     over  = "+ 3456789\r\n"
     io = StringIO.new([under, exact, over].join)
-    rcvr = LimitedResponseReader.new(client, io, max_response_size:)
+    rcvr = Net::IMAP::ResponseReader.new(client, io)
     assert_equal under, rcvr.read_response_buffer.to_str
     assert_equal exact, rcvr.read_response_buffer.to_str
     assert_raise Net::IMAP::ResponseTooLargeError do