Summary
The Flask application currently sets:
app.config["MAX_CONTENT_LENGTH"] = None
This explicitly disables Flask’s built-in request size protection.
Additionally, there are no file size validations implemented in upload routes, including chunked uploads and ZIP handling.
Current Behavior
- No global request size limit is enforced
- No per-upload file size validation
- No cumulative size tracking for chunked uploads
- ZIP extraction does not appear to enforce size limits
Potential Impact
While this may not be critical for local desktop usage, it becomes important if the backend is deployed as a public-facing service.
Possible risks include:
- Memory exhaustion from large uploads
- Performance degradation under concurrent uploads
- ZIP bomb attacks (small compressed file expanding to very large size)
- Increased infrastructure/storage costs in hosted environments
Proposed Improvement
- Define a reasonable default request size limit, for example:
app.config["MAX_CONTENT_LENGTH"] = 500 * 1024 * 1024 # 500 MB
-
Optionally make the limit configurable via environment variable.
-
Add cumulative size validation for chunked uploads.
-
Add basic safety checks for ZIP extraction (e.g., total uncompressed size threshold).
Benefits
- Improved backend stability
- Protection against accidental or malicious oversized uploads
- Better production readiness
- No breaking API changes
Summary
The Flask application currently sets:
This explicitly disables Flask’s built-in request size protection.
Additionally, there are no file size validations implemented in upload routes, including chunked uploads and ZIP handling.
Current Behavior
Potential Impact
While this may not be critical for local desktop usage, it becomes important if the backend is deployed as a public-facing service.
Possible risks include:
Proposed Improvement
Optionally make the limit configurable via environment variable.
Add cumulative size validation for chunked uploads.
Add basic safety checks for ZIP extraction (e.g., total uncompressed size threshold).
Benefits