Skip to content

fix(hub): raise Socket.IO maxHttpBufferSize for file downloads #516

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
GeT-LeFt wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(hub): raise Socket.IO maxHttpBufferSize for file downloads #516

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
25a8fa4
fix(hub): raise Socket.IO maxHttpBufferSize for file downloads
Apr 22, 2026
a42367b
fix: tighten default maxHttpBufferSize and cap env override
Apr 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions hub/src/socket/server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,15 @@ const jwtPayloadSchema = z.object({

const DEFAULT_IDLE_TIMEOUT_MS = 15 * 60_000
const DEFAULT_MAX_TERMINALS = 4
const DEFAULT_MAX_HTTP_BUFFER_SIZE = Math.ceil((50 * 1024 * 1024 * 4) / 3)

function resolveEnvNumber(name: string, fallback: number): number {
function resolveEnvNumber(name: string, fallback: number, max = fallback): number {
const raw = process.env[name]
if (!raw) {
return fallback
}
const parsed = Number.parseInt(raw, 10)
return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback
return Number.isFinite(parsed) && parsed > 0 ? Math.min(parsed, max) : fallback
Copy link
Copy Markdown

@github-actions github-actions Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MAJOR] This clamps every existing call to resolveEnvNumber to its fallback because max defaults to fallback. The socket buffer needs that cap, but the same helper still feeds HAPI_TERMINAL_IDLE_TIMEOUT_MS and HAPI_TERMINAL_MAX_TERMINALS, so users can no longer raise the hub terminal idle timeout above 15 minutes or terminal count above 4.

Suggested fix:

function resolveEnvNumber(name: string, fallback: number, max?: number): number {
    const raw = process.env[name]
    if (!raw) {
        return fallback
    }
    const parsed = Number.parseInt(raw, 10)
    if (!Number.isFinite(parsed) || parsed <= 0) {
        return fallback
    }
    return max === undefined ? parsed : Math.min(parsed, max)
}

maxHttpBufferSize: resolveEnvNumber(
    'HAPI_SOCKET_MAX_BUFFER_SIZE',
    DEFAULT_MAX_HTTP_BUFFER_SIZE,
    DEFAULT_MAX_HTTP_BUFFER_SIZE
),

}

export type SocketServerDeps = {
Expand Down Expand Up @@ -63,6 +64,7 @@ export function createSocketServer(deps: SocketServerDeps): {
const engine = new Engine({
path: '/socket.io/',
cors: corsOptions,
maxHttpBufferSize: resolveEnvNumber('HAPI_SOCKET_MAX_BUFFER_SIZE', DEFAULT_MAX_HTTP_BUFFER_SIZE),
Copy link
Copy Markdown

@github-actions github-actions Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MAJOR] This raises the Engine.IO frame limit to 100 MiB before any namespace auth runs. allowRequest still accepts requests with no Origin, and the token/JWT checks only happen later in cliNs.use(...) / terminalNs.use(...), so an unauthenticated client can now make the hub buffer and parse much larger /socket.io/ frames than before.

We only need enough headroom for the existing 50 MiB file cap (hub/src/web/routes/sessions.ts:43), which is about 67 MiB after base64 inflation. Please keep the default near that ceiling and clamp the env override instead of opening a 100 MiB unauthenticated buffer.

Suggested fix:

const DEFAULT_MAX_HTTP_BUFFER_SIZE = Math.ceil((50 * 1024 * 1024 * 4) / 3)

function resolveEnvNumber(name: string, fallback: number, max = fallback): number {
    const raw = process.env[name]
    if (!raw) {
        return fallback
    }
    const parsed = Number.parseInt(raw, 10)
    return Number.isFinite(parsed) && parsed > 0 ? Math.min(parsed, max) : fallback
}

allowRequest: async (req) => {
const origin = req.headers.get('origin')
if (!origin || allowAllOrigins || corsOrigins.includes(origin)) {
Expand Down
Loading