-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release/7.0] Enforce HttpClient limits on GetFromJsonAsync #80553
Conversation
Tagging subscribers to this area: @dotnet/ncl Issue DetailsBackport of a minimized change of #79386 to release/7.0 Customer ImpactTODO TestingTODO RiskTODO
|
Tomorrow is the last day for merging backports for the February Release. Can you please fill out the template, making sure the customer impact is clearly described, add the Also, there are networking-related CI failures. Can you please investigate them? |
Build failure is known according to build analysis. |
Talked to @MihaZupan. This will go in next month. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Approved by Tactics via email by @SteveMCarroll on 2/9. |
Approved by Tactics for 7.0.4. |
@MihaZupan @ManickaP I'm looking at the rolling builds for the release/7.0 branch, and after merging this PR, I am seeing a nuget issue related to System.Net.Http.Json: https://github.com/dotnet/runtime/runs/11233952875 Can you please take a look? I'll open an issue to track this. It needs to get fixed before Monday EOD. That's the day we close the servicing branches. Edit: I opened #81914 and pinged Viktor/Eric for help. |
Backport of a minimized change of #79386 to release/7.0
Customer Impact
HttpClient has two properties users can tweak to limit the amount of time and resources spent on a given request (
Timeout
andMaxResponseContentBufferSize
).GetFromJsonAsync
is inconsistent in the enforcement of these limits compared to other helpers (GetStringAsync
,GetByteArrayAsync
, andDeleteFromJsonAsync
).There are three main ways to get the response content from HttpClient:
ResponseHeadersRead
, asking the client not to buffer the response content as part of theSendAsync
callThis change changes the behavior of the
client.GetFromJsonAsync
helper to match that ofGetStringAsync
and friends (case 1).This allows us to present consistent
HttpClient
behavior across the board.Testing
I added targeted CI tests that confirm limits are consistently enforced.
Risk
The enforcement of limits means that some requests that would previously succeed may now fail (either time out or exceed the size limit). It is unlikely that anyone is knowingly relying on this behavior given the inconsistencies mentioned above.
The default limits are also very large (100 seconds and 2 GB of content), so for a request to hit them, the user has most likely lowered them manually, indicating the intent that they do want them to be enforced. It also means that if they do run into issues, they can tweak the existing settings directly.
The change can also result in slightly higher memory consumption as we're buffering the whole body before we start the deserialization process. We do not expect this to be meaningfully impactful.