Add MAX_CONTENT_LENGTH + content-type check to the PDF/CSV import route #4

Open
opened 2026-06-06 19:58:10 +00:00 by tonym · 0 comments

Severity: high
Category: security
Location: app.py:425-472

Problem

No upload size limit and no MIME validation; a huge or malformed PDF is streamed into pdfplumber and can exhaust container memory/disk. (The suggestions upload caps at 10MB; this route does not.)

Suggested fix

Set app.config['MAX_CONTENT_LENGTH'] (e.g. 20MB) and validate content_type against an allowlist.

Filed by automated code review.

**Severity:** high **Category:** security **Location:** `app.py:425-472` ### Problem No upload size limit and no MIME validation; a huge or malformed PDF is streamed into pdfplumber and can exhaust container memory/disk. (The suggestions upload caps at 10MB; this route does not.) ### Suggested fix Set `app.config['MAX_CONTENT_LENGTH']` (e.g. 20MB) and validate content_type against an allowlist. _Filed by automated code review._
tonym added the
security
severity:high
labels 2026-06-06 19:58:10 +00:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: bonna61/Moon-Household-Budget#4
No description provided.