Upload size limit on READMEs

[vignesh-sankaran]

This is currently being done by npm, one of the reasons why is to stop a potential attack vector where an malacious third party could upload a very large README file and gum up crates.io. There are ways to deal with this on the crates.io side, but this could be an interim measure while we figure this out.

[est31]

crates.io doesn't display READMEs in any way so I don't see how this could be an issue for crates.io. Maybe there needs to be a limit on the description string or other strings though.

[vignesh-sankaran]

There is an open PR for displaying READMEs, and READMEs are currently being stored in the database.

[epage]

We have some zip comb protection as of #11089 + #11337. This will limit how big of an overall .crate there is.

As for whether README.md size is a concern, I'd want to hear from crates.io. @Turbo87 any thoughts on how we should triage this?

[Turbo87]

we have a server-side limit on the size of the metadata json blob, which restricts the size of the readme to some degree. we don't have a restriction specifically for the readme, but once we read it from the tarball we should probably implement something like that.

[epage]

Sounds like this is being resolved on the server side, so I'm going to close this out for cargo's side. If there is a reason this should be enforced on the client side uniformly across all registries, let us know!