fix(api): bound request-body reads on speech/knowledge-chunks/help routes#5601
Conversation
…utes Replace unbounded request.json()/formData() reads with the existing size-limited helpers, and move auth ahead of the body read on the knowledge chunks route so unauthenticated callers can't force a large allocation before being rejected.
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryLow Risk Overview
Knowledge document chunks
Reviewed by Cursor Bugbot for commit e8197fc. Configure here. |
Greptile SummaryThis PR bounds request-body reads on several API routes. The main changes are:
Confidence Score: 5/5This looks safe to merge.
Important Files Changed
Reviews (2): Last reviewed commit: "fix(knowledge): reject non-string workfl..." | Re-trigger Greptile |
…ping authorization A truthy non-string workflowId previously fell through the type guard and skipped the workflow-scoped write authorization entirely. Validate the type explicitly and fail closed with a 400 instead.
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit e8197fc. Configure here.
Summary
/api/speech/tokenread the request body with rawrequest.json()before auth, so an unauthenticated caller could force a large in-memory buffer with no cap/api/knowledge/[id]/documents/[documentId]/chunks(POST) had the same raw pre-auth read; moved auth ahead of the body parse and switched to the size-limited helper/api/help(already auth-gated) used rawformData()with no cap; switched to the existing bounded form-data reader for consistencyType of Change
Testing
/api/speech/tokenbody is rejected before any auth/billing work runsbun run check:api-validation, full typecheck, and existing test suites passChecklist