Skip to content

fix(api): bound request-body reads on speech/knowledge-chunks/help routes#5601

Merged
waleedlatif1 merged 2 commits into
stagingfrom
fix/unbounded-body-read-dos
Jul 11, 2026
Merged

fix(api): bound request-body reads on speech/knowledge-chunks/help routes#5601
waleedlatif1 merged 2 commits into
stagingfrom
fix/unbounded-body-read-dos

Conversation

@waleedlatif1

Copy link
Copy Markdown
Collaborator

Summary

  • /api/speech/token read the request body with raw request.json() before auth, so an unauthenticated caller could force a large in-memory buffer with no cap
  • /api/knowledge/[id]/documents/[documentId]/chunks (POST) had the same raw pre-auth read; moved auth ahead of the body parse and switched to the size-limited helper
  • /api/help (already auth-gated) used raw formData() with no cap; switched to the existing bounded form-data reader for consistency

Type of Change

  • Bug fix

Testing

  • Added a test asserting an oversized /api/speech/token body is rejected before any auth/billing work runs
  • bun run check:api-validation, full typecheck, and existing test suites pass

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

…utes

Replace unbounded request.json()/formData() reads with the existing
size-limited helpers, and move auth ahead of the body read on the
knowledge chunks route so unauthenticated callers can't force a large
allocation before being rejected.
@vercel

vercel Bot commented Jul 11, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Jul 11, 2026 7:40pm

Request Review

@cursor

cursor Bot commented Jul 11, 2026

Copy link
Copy Markdown

PR Summary

Low Risk
Defensive request-size limits and ordering fixes; behavior for normal payloads should be unchanged aside from explicit 413 responses on oversized bodies.

Overview
Adds size-limited request body reads on three API routes so callers cannot force unbounded in-memory buffering.

/api/speech/token now parses JSON via parseOptionalJsonBody with a 16KB cap before chat/session auth, billing, or usage recording. Oversized bodies return 413 without touching auth or billing (covered by a new test).

Knowledge document chunks POST runs authentication first, then uses parseJsonBody instead of raw req.json(), and validates workflowId is a string when present.

/api/help replaces unbounded formData() with readFormDataWithLimit, using the same large bound as workspace file uploads (plus multipart overhead) for multi-image submissions, and returns 413 when the limit is exceeded.

Reviewed by Cursor Bugbot for commit e8197fc. Configure here.

@greptile-apps

greptile-apps Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR bounds request-body reads on several API routes. The main changes are:

  • Moves speech token JSON parsing to a size-limited helper.
  • Moves knowledge chunk body parsing after auth and rejects malformed workflowId values.
  • Uses the shared bounded form-data reader for help requests.
  • Adds coverage for oversized speech token bodies.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.

Important Files Changed

Filename Overview
apps/sim/app/api/knowledge/[id]/documents/[documentId]/chunks/route.ts The route now parses JSON after auth and rejects non-string workflowId values before workflow authorization.
apps/sim/app/api/speech/token/route.ts The route now uses a bounded optional JSON parser before auth and billing work.
apps/sim/app/api/speech/token/route.test.ts Adds a test for oversized speech token request bodies.
apps/sim/app/api/help/route.ts The route now reads multipart form data through the shared bounded helper and returns 413 for oversized requests.

Reviews (2): Last reviewed commit: "fix(knowledge): reject non-string workfl..." | Re-trigger Greptile

Comment thread apps/sim/app/api/knowledge/[id]/documents/[documentId]/chunks/route.ts Outdated
…ping authorization

A truthy non-string workflowId previously fell through the type guard and
skipped the workflow-scoped write authorization entirely. Validate the
type explicitly and fail closed with a 400 instead.
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit e8197fc. Configure here.

@waleedlatif1 waleedlatif1 merged commit e2e29ee into staging Jul 11, 2026
18 checks passed
@waleedlatif1 waleedlatif1 deleted the fix/unbounded-body-read-dos branch July 11, 2026 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant