Merge pull request #544 from CartoDB/max-error-header-size

Limit size of error header

app/middlewares/error.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const errorHandlerFactory = require('../services/error_handler_factory');
+const MAX_ERROR_STRING_LENGTH = 1024;
 
 module.exports = function error() {
     return function errorMiddleware(err, req, res, next) {
@@ -74,7 +75,9 @@ function setErrorHeader(errorHandler, res) {
 function stringifyForLogs(object) {
     Object.keys(object).map(key => {
         if (typeof object[key] === 'string') {
-            object[key] = object[key].replace(/[^a-zA-Z0-9]/g, ' ');
+            object[key] = object[key]
+		.substring(0, MAX_ERROR_STRING_LENGTH)
+		.replace(/[^a-zA-Z0-9]/g, ' ');
         } else if (typeof object[key] === 'object') {
             stringifyForLogs(object[key]);
         } else if (object[key] instanceof Array) {

test/unit/error_handler.test.js

@@ -2,6 +2,7 @@
 
 var assert = require('assert');
 var errorMiddleware = require('../../app/middlewares/error');
+require('../helper');
 
 const req = { query: { callback: true } };
 
@@ -115,4 +116,28 @@ describe('error-handler', function() {
             done();
         });
     });
+
+    it('should truncat too long error messages', function (done) {
+        const veryLongString = 'Very long error message '.repeat(1000);
+        const truncatedString = veryLongString.substring(0, 1024);
+
+        let error = new Error(veryLongString);
+
+        const expectedErrorHeader = {
+            statusCode: 400,
+            message: truncatedString
+	};
+
+        const res = getRes();
+
+        errorMiddleware()(error, req, res, function () {
+            assert.ok(res.headers['X-SQLAPI-Errors'].length > 0);
+            assert.deepEqual(
+                res.headers['X-SQLAPI-Errors'],
+                JSON.stringify(expectedErrorHeader)
+            );
+
+            done();
+        });
+    });
 });