Enforce request size limits to prevent unbounded file uploads #40
Description
Summary
The Flask application currently sets:
app.config["MAX_CONTENT_LENGTH"] = NoneThis explicitly disables Flask’s built-in request size protection.
Additionally, there are no file size validations implemented in upload routes, including chunked uploads and ZIP handling.
Current Behavior
- No global request size limit is enforced
- No per-upload file size validation
- No cumulative size tracking for chunked uploads
- ZIP extraction does not appear to enforce size limits
Potential Impact
While this may not be critical for local desktop usage, it becomes important if the backend is deployed as a public-facing service.
Possible risks include:
- Memory exhaustion from large uploads
- Performance degradation under concurrent uploads
- ZIP bomb attacks (small compressed file expanding to very large size)
- Increased infrastructure/storage costs in hosted environments
Proposed Improvement
- Define a reasonable default request size limit, for example:
app.config["MAX_CONTENT_LENGTH"] = 500 * 1024 * 1024 # 500 MB-
Optionally make the limit configurable via environment variable.
-
Add cumulative size validation for chunked uploads.
-
Add basic safety checks for ZIP extraction (e.g., total uncompressed size threshold).
Benefits
- Improved backend stability
- Protection against accidental or malicious oversized uploads
- Better production readiness
- No breaking API changes