From fb60a4560f41cdf7ca692ec1668a84e1b6c807d3 Mon Sep 17 00:00:00 2001
From: surefire <surefire@cryptomile.net>
Date: Wed, 21 Sep 2022 12:34:15 +0300
Subject: [PATCH 1/5] Respond with status code 413 if request body is too large

---
 packages/adapter-node/src/handler.js           |  2 +-
 packages/adapter-vercel/files/serverless.js    |  2 +-
 packages/kit/src/exports/node/index.js         | 11 ++++++++---
 packages/kit/src/exports/vite/dev/index.js     |  2 +-
 packages/kit/src/exports/vite/preview/index.js |  2 +-
 5 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/packages/adapter-node/src/handler.js b/packages/adapter-node/src/handler.js
index 94f331f57ccb..cfd946eb9fec 100644
--- a/packages/adapter-node/src/handler.js
+++ b/packages/adapter-node/src/handler.js
@@ -56,7 +56,7 @@ const ssr = async (req, res) => {
 		});
 	} catch (err) {
 		res.statusCode = err.status || 400;
-		res.end(err.reason || 'Invalid request body');
+		res.end(err.message || err.toString() || 'Invalid request body');
 		return;
 	}
 
diff --git a/packages/adapter-vercel/files/serverless.js b/packages/adapter-vercel/files/serverless.js
index 36fbae4c7799..0c6ad3205601 100644
--- a/packages/adapter-vercel/files/serverless.js
+++ b/packages/adapter-vercel/files/serverless.js
@@ -23,7 +23,7 @@ export default async (req, res) => {
 		request = await getRequest({ base: `https://${req.headers.host}`, request: req });
 	} catch (err) {
 		res.statusCode = err.status || 400;
-		return res.end(err.reason || 'Invalid request body');
+		return res.end(err.reason || err.toString() || 'Invalid request body');
 	}
 
 	setResponse(
diff --git a/packages/kit/src/exports/node/index.js b/packages/kit/src/exports/node/index.js
index b73c5c91b421..c9a49bc1a52e 100644
--- a/packages/kit/src/exports/node/index.js
+++ b/packages/kit/src/exports/node/index.js
@@ -1,4 +1,5 @@
 import * as set_cookie_parser from 'set-cookie-parser';
+import { HttpError } from '../../runtime/control.js';
 
 /**
  * @param {import('http').IncomingMessage} req
@@ -27,7 +28,8 @@ function get_raw_body(req, body_size_limit) {
 		if (!length) {
 			length = body_size_limit;
 		} else if (length > body_size_limit) {
-			throw new Error(
+			throw new HttpError(
+				413,
 				`Received content-length of ${length}, but only accept up to ${body_size_limit} bytes.`
 			);
 		}
@@ -45,6 +47,7 @@ function get_raw_body(req, body_size_limit) {
 	return new ReadableStream({
 		start(controller) {
 			req.on('error', (error) => {
+				cancelled = true;
 				controller.error(error);
 			});
 
@@ -58,8 +61,10 @@ function get_raw_body(req, body_size_limit) {
 
 				size += chunk.length;
 				if (size > length) {
-					req.destroy(
-						new Error(
+					cancelled = true;
+					controller.error(
+						new HttpError(
+							413,
 							`request body size exceeded ${
 								content_length ? "'content-length'" : 'BODY_SIZE_LIMIT'
 							} of ${length}`
diff --git a/packages/kit/src/exports/vite/dev/index.js b/packages/kit/src/exports/vite/dev/index.js
index 3c28acb480d8..dabb0463285d 100644
--- a/packages/kit/src/exports/vite/dev/index.js
+++ b/packages/kit/src/exports/vite/dev/index.js
@@ -397,7 +397,7 @@ export async function dev(vite, vite_config, svelte_config) {
 					});
 				} catch (/** @type {any} */ err) {
 					res.statusCode = err.status || 400;
-					return res.end(err.message || 'Invalid request body');
+					return res.end(err.message || err.toString() || 'Invalid request body');
 				}
 
 				const template = load_template(cwd, svelte_config);
diff --git a/packages/kit/src/exports/vite/preview/index.js b/packages/kit/src/exports/vite/preview/index.js
index 55a59105b65f..5b155a690e10 100644
--- a/packages/kit/src/exports/vite/preview/index.js
+++ b/packages/kit/src/exports/vite/preview/index.js
@@ -137,7 +137,7 @@ export async function preview(vite, vite_config, svelte_config) {
 				});
 			} catch (/** @type {any} */ err) {
 				res.statusCode = err.status || 400;
-				return res.end(err.message || 'Invalid request body');
+				return res.end(err.message || err.toString() || 'Invalid request body');
 			}
 
 			setResponse(

From 88480d9903fbaf374a8e111680e1bf42c9df49b5 Mon Sep 17 00:00:00 2001
From: surefire <surefire@cryptomile.net>
Date: Wed, 21 Sep 2022 17:21:43 +0300
Subject: [PATCH 2/5] Use the error method

---
 packages/kit/src/exports/node/index.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/kit/src/exports/node/index.js b/packages/kit/src/exports/node/index.js
index c9a49bc1a52e..67b82e63f537 100644
--- a/packages/kit/src/exports/node/index.js
+++ b/packages/kit/src/exports/node/index.js
@@ -1,5 +1,5 @@
 import * as set_cookie_parser from 'set-cookie-parser';
-import { HttpError } from '../../runtime/control.js';
+import { error } from '../index.js';
 
 /**
  * @param {import('http').IncomingMessage} req
@@ -28,7 +28,7 @@ function get_raw_body(req, body_size_limit) {
 		if (!length) {
 			length = body_size_limit;
 		} else if (length > body_size_limit) {
-			throw new HttpError(
+			throw error(
 				413,
 				`Received content-length of ${length}, but only accept up to ${body_size_limit} bytes.`
 			);
@@ -63,7 +63,7 @@ function get_raw_body(req, body_size_limit) {
 				if (size > length) {
 					cancelled = true;
 					controller.error(
-						new HttpError(
+						error(
 							413,
 							`request body size exceeded ${
 								content_length ? "'content-length'" : 'BODY_SIZE_LIMIT'

From 443a2f3cff82b8b590e1fd11d68b6266769ed27c Mon Sep 17 00:00:00 2001
From: surefire <surefire@cryptomile.net>
Date: Wed, 21 Sep 2022 17:48:48 +0300
Subject: [PATCH 3/5] Prevent arbitrary error messages from reaching users

---
 packages/adapter-node/src/handler.js           | 2 +-
 packages/adapter-vercel/files/serverless.js    | 2 +-
 packages/kit/src/exports/vite/dev/index.js     | 2 +-
 packages/kit/src/exports/vite/preview/index.js | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/packages/adapter-node/src/handler.js b/packages/adapter-node/src/handler.js
index cfd946eb9fec..7177e836bf75 100644
--- a/packages/adapter-node/src/handler.js
+++ b/packages/adapter-node/src/handler.js
@@ -56,7 +56,7 @@ const ssr = async (req, res) => {
 		});
 	} catch (err) {
 		res.statusCode = err.status || 400;
-		res.end(err.message || err.toString() || 'Invalid request body');
+		res.end('Invalid request body');
 		return;
 	}
 
diff --git a/packages/adapter-vercel/files/serverless.js b/packages/adapter-vercel/files/serverless.js
index 0c6ad3205601..25db646beefc 100644
--- a/packages/adapter-vercel/files/serverless.js
+++ b/packages/adapter-vercel/files/serverless.js
@@ -23,7 +23,7 @@ export default async (req, res) => {
 		request = await getRequest({ base: `https://${req.headers.host}`, request: req });
 	} catch (err) {
 		res.statusCode = err.status || 400;
-		return res.end(err.reason || err.toString() || 'Invalid request body');
+		return res.end('Invalid request body');
 	}
 
 	setResponse(
diff --git a/packages/kit/src/exports/vite/dev/index.js b/packages/kit/src/exports/vite/dev/index.js
index dabb0463285d..6fc103f07e17 100644
--- a/packages/kit/src/exports/vite/dev/index.js
+++ b/packages/kit/src/exports/vite/dev/index.js
@@ -397,7 +397,7 @@ export async function dev(vite, vite_config, svelte_config) {
 					});
 				} catch (/** @type {any} */ err) {
 					res.statusCode = err.status || 400;
-					return res.end(err.message || err.toString() || 'Invalid request body');
+					return res.end('Invalid request body');
 				}
 
 				const template = load_template(cwd, svelte_config);
diff --git a/packages/kit/src/exports/vite/preview/index.js b/packages/kit/src/exports/vite/preview/index.js
index 5b155a690e10..0a24a0b9c932 100644
--- a/packages/kit/src/exports/vite/preview/index.js
+++ b/packages/kit/src/exports/vite/preview/index.js
@@ -137,7 +137,7 @@ export async function preview(vite, vite_config, svelte_config) {
 				});
 			} catch (/** @type {any} */ err) {
 				res.statusCode = err.status || 400;
-				return res.end(err.message || err.toString() || 'Invalid request body');
+				return res.end('Invalid request body');
 			}
 
 			setResponse(

From 975669ae0da669d5e75b761416efe3c21c604981 Mon Sep 17 00:00:00 2001
From: Rich Harris <hello@rich-harris.dev>
Date: Wed, 21 Sep 2022 11:19:09 -0400
Subject: [PATCH 4/5] Create strong-baboons-travel.md

---
 .changeset/strong-baboons-travel.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/strong-baboons-travel.md

diff --git a/.changeset/strong-baboons-travel.md b/.changeset/strong-baboons-travel.md
new file mode 100644
index 000000000000..b25d4617647b
--- /dev/null
+++ b/.changeset/strong-baboons-travel.md
@@ -0,0 +1,5 @@
+---
+"@sveltejs/kit": patch
+---
+
+Respond with 413 if request body is too large

From 400be4c07a9a46af8860eafa34c4efbf4b3e7026 Mon Sep 17 00:00:00 2001
From: Rich Harris <hello@rich-harris.dev>
Date: Wed, 21 Sep 2022 11:20:05 -0400
Subject: [PATCH 5/5] Create five-tools-arrive.md

---
 .changeset/five-tools-arrive.md | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .changeset/five-tools-arrive.md

diff --git a/.changeset/five-tools-arrive.md b/.changeset/five-tools-arrive.md
new file mode 100644
index 000000000000..139d51a0ef8a
--- /dev/null
+++ b/.changeset/five-tools-arrive.md
@@ -0,0 +1,7 @@
+---
+"@sveltejs/adapter-node": patch
+"@sveltejs/adapter-vercel": patch
+"@sveltejs/kit": patch
+---
+
+Redact error message if `getRequest` fails