BlakeRain/parcel
1
0
Fork 0
Code Issues 11 Pull requests 3 Projects 1 Releases 6 Packages 1 Wiki Activity Actions

Add size limit to uploads #43

Merged
BlakeRain merged 1 commit from security/upload-hardening into main 2026-05-24 11:35:11 +00:00
Conversation 0 Commits 1 Files changed 12 +259 -50
BlakeRain commented 2026-05-24 11:26:00 +00:00
Owner
Copy link

This PR adds a new option --upload-size-limit that enables a limit on the size of uploads in a single request. This should mitigate potential DoS with very large requests.

If the --upload-size-limit is set, then the maximum size of a request to the /uploads endpoint is limited. This requires that the Content-Length header is present, but will also count the bytes that are being read from the stream to ensure they do not exceed the limit in cases where the Content-Length header is lying.

This PR adds a new option `--upload-size-limit` that enables a limit on the size of uploads in a single request. This should mitigate potential DoS with very large requests. If the `--upload-size-limit` is set, then the maximum size of a request to the `/uploads` endpoint is limited. This requires that the `Content-Length` header is present, but will also count the bytes that are being read from the stream to ensure they do not exceed the limit in cases where the `Content-Length` header is lying.
feat: add size limit to uploads
All checks were successful
Check / check (pull_request) Successful in 4m21s
Details
36ff2f6dd4
BlakeRain force-pushed security/upload-hardening from 36ff2f6dd4
All checks were successful
Check / check (pull_request) Successful in 4m21s
Details
to 8def80476d
All checks were successful
Check / check (pull_request) Successful in 4m37s
Details
2026-05-24 11:30:25 +00:00 Compare
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
Area/API
Relates to the API

  
Area/CLI
Relates to the CLI

  
Area/Data Model
Relates to the data model

  
Area/Dependencies
Pull requests or issues that relate to dependencies

  
Area/Deployment
Relates to deployment of Parcel

  
Area/Documentation
Improvements or additions to documentation

  
Area/Downloading
Relates to downloading files

  
Area/Mobile
Relates to use of Parcel on mobile

  
Area/Teams
Relates to teams and team management

  
Area/UI
Relates to the UI

  
Area/Uploading
Relates to uploading files

  
Area/Webhooks
Relates to the webhooks

  
Kind
Bug
 Something isn't working

  
Kind
Discussion
 Currently just a discussion around some part of the project.

  
Kind
Feature
 New feature or request

  
Kind
Security
 This is security issue

  
Kind
Task
 A general task that should be performed

  
Kind
Testing
 Issue or pull request related to testing

  
Priority
Critical
 The priority is critical

  
Priority
High
 The priority is high

  
Priority/Low
The priority is low

  
Priority/Medium
The priority is medium

  
Reviewed
Confirmed
 Issue has been confirmed

  
Reviewed
Duplicate
 This issue or pull request already exists

  
Reviewed
Invalid
 Invalid issue

  
Reviewed
Won't Fix
 This issue won't be fixed

  
Status
Abandoned
 Somebody has started to work on this but abandoned work

  
Status
Blocked
 Something is blocking this issue or pull request

  
Status
Need More Info
 Feedback is required to reproduce issue or to continue work

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
question
Further information is requested

  
wontfix
This will not be worked on

No labels
Area/API
Area/CLI
Area/Data Model
Area/Dependencies
Area/Deployment
Area/Documentation
Area/Downloading
Area/Mobile
Area/Teams
Area/UI
Area/Uploading
Area/Webhooks
Kind
Bug
Kind
Discussion
Kind
Feature
Kind
Security
Kind
Task
Kind
Testing
Priority
Critical
Priority
High
Priority/Low
Priority/Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
good first issue
help wanted
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
BlakeRain
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
BlakeRain/parcel!43
No description provided.