Security: Request body size limit + streaming upload validation #80
Labels
No labels
area:api
area:core
area:docs
area:infra
area:ux
dependencies
documentation
duplicate
good first issue
help wanted
invalid
question
rust
status:complete
status:partial
status:planned
type:bug
type:design
type:feature
type:infra
type:refactor
type:refactor
type:research
type:ux
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
icub3d/decentcom#80
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: High — found in code review 2026-07-07. (Rate limiting is tracked separately in #48; this is the body-size / buffering half.)
Problem
DefaultBodyLimit/RequestBodyLimitLayeris configured anywhere (main.rsadds only CORS). The effective ceiling is axum's implicit default, notconfig.content.max_file_size(default 25 MB).attachments/handlers.rs:145andprofiles/handlers.rs:130callfield.bytes().awaitfirst, then compare against the limit. The attachment loop accumulates across many fields.Impact: memory exhaustion via large or many upload fields.
Fix
RequestBodyLimitLayer/DefaultBodyLimitsized from config.