controllers/krate/publish: Use existing_crate for upload size check

Turbo87 · Turbo87 · commit f6e5a867cf53 · 2023-09-27T14:55:35.000+02:00
There are a couple of cases to consider here:

- if a krate with the same name exists, `existing_crate` will be `Some(_)` and the `max_upload_size` value is used.
- if no krate with the same name exists yet, `existing_crate` will be `None` and the default size limits are used.
- if no krate with the same name exists yet and there are two concurrent publish requests, the default size limits are used. this should be fine since there is no way to increase the size limits during publish or via the API in general.

tl;dr there is a potential race condition here, but it doesn't matter for this specific case
diff --git a/src/controllers/krate/publish.rs b/src/controllers/krate/publish.rs
@@ -110,6 +110,21 @@ pub async fn publish(app: AppState, req: BytesRequest) -> AppResult<Json<GoodCra
         app.rate_limiter
             .check_rate_limit(user.id, rate_limit_action, conn)?;
 
+        let content_length = tarball_bytes.len() as u64;
+
+        let maximums = Maximums::new(
+            existing_crate.as_ref().and_then(|c| c.max_upload_size),
+            app.config.max_upload_size,
+            app.config.max_unpack_size,
+        );
+
+        if content_length > maximums.max_upload_size {
+            return Err(cargo_err(&format_args!(
+                "max upload size is: {}",
+                maximums.max_upload_size
+            )));
+        }
+
         // Create a transaction on the database, if there are no errors,
         // commit the transactions to record a new or updated crate.
         conn.transaction(|conn| {
@@ -177,21 +192,6 @@ pub async fn publish(app: AppState, req: BytesRequest) -> AppResult<Json<GoodCra
                 }
             }
 
-            let content_length = tarball_bytes.len() as u64;
-
-            let maximums = Maximums::new(
-                krate.max_upload_size,
-                app.config.max_upload_size,
-                app.config.max_unpack_size,
-            );
-
-            if content_length > maximums.max_upload_size {
-                return Err(cargo_err(&format_args!(
-                    "max upload size is: {}",
-                    maximums.max_upload_size
-                )));
-            }
-
             // Read tarball from request
             let hex_cksum: String = Sha256::digest(&tarball_bytes).encode_hex();
 
