bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity

Add security fixes: SHA256 hash validation and streaming file size enforcement

Browse Source 
- Add field_validator to ResumableUploadInitRequest to validate expected_hash
  is a valid 64-character lowercase hex SHA256 hash (normalizes to lowercase)
- Add FileSizeExceededError exception for file size limit violations
- Enforce file size limits in storage layer during streaming (prevents
  Content-Length header spoofing)
- Add FileSizeExceededError handler in upload endpoint returning HTTP 413
- Add node_modules and frontend/dist to .gitignore
This commit is contained in:
Mondo Diaz
2026-01-05 15:43:19 -06:00
parent 55a38ad850
commit af66fd5845
4 changed files with 48 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
backend/app/routes.py
View File

@@ -28,6 +28,7 @@ from .storage import (
MULTIPART_CHUNK_SIZE,
StorageError,
HashComputationError,
FileSizeExceededError,
S3ExistenceCheckError,
S3UploadError,
S3StorageUnavailableError,
@@ -1033,6 +1034,12 @@ def upload_artifact(
status_code=500,
detail="Data integrity error detected. Please contact support.",
)
except FileSizeExceededError as e:
logger.warning(f"File size exceeded during upload: {e}")
raise HTTPException(
status_code=413,
detail=f"File too large. Maximum size is {settings.max_file_size // (1024 * 1024 * 1024)}GB",
)
except StorageError as e:
logger.error(f"Storage error during upload: {e}")
raise HTTPException(status_code=500, detail="Internal storage error")