Add MAX_CONTENT_LENGTH + content-type check to the PDF/CSV import route #4
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: high
Category: security
Location:
app.py:425-472Problem
No upload size limit and no MIME validation; a huge or malformed PDF is streamed into pdfplumber and can exhaust container memory/disk. (The suggestions upload caps at 10MB; this route does not.)
Suggested fix
Set
app.config['MAX_CONTENT_LENGTH'](e.g. 20MB) and validate content_type against an allowlist.Filed by automated code review.