Skip to content

fix: bound airdrop recipient uploads#100

Open
jamilahmadzai wants to merge 1 commit into
SmartDropLabs:mainfrom
jamilahmadzai:codex/smartdrop-upload-limits-85
Open

fix: bound airdrop recipient uploads#100
jamilahmadzai wants to merge 1 commit into
SmartDropLabs:mainfrom
jamilahmadzai:codex/smartdrop-upload-limits-85

Conversation

@jamilahmadzai

@jamilahmadzai jamilahmadzai commented Jul 15, 2026

Copy link
Copy Markdown

Summary

  • cap in-memory recipient CSV uploads with the configurable AIRDROP_CSV_MAX_BYTES limit (5 MiB by default) and return a structured 413
  • parse buffered CSV data through 64 KiB chunks and destroy the pipeline as soon as row 10,001 is observed
  • rate limit airdrop creation and recipient additions with separate Redis-backed per-IP buckets
  • set and document an intentional 2 MiB JSON body limit for legitimate inline payloads up to 10,000 recipients
  • cover file-size, streaming row-count, JSON payload, configuration, and both rate-limit paths

Security impact

Previously, Multer buffered unbounded files and the CSV parser materialized every valid row before checking the recipient cap. The mutation routes also had no throttling. This change bounds both input size and accumulated rows before service writes occur, while preserving the existing fail-open Redis limiter policy.

Validation

  • npm test -- --runInBand (22 suites, 189 tests)
  • node --check on every changed source file
  • git diff --check

Closes #85

Bounty: GrantFox OSS campaign for issue #85

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

multer() is configured with no file size limit — unbounded CSV upload enables memory-exhaustion DoS

1 participant