Skip to content

enforce 5 MB default file-size limit on get_component_file#710

Merged
kriszyp merged 1 commit into
mainfrom
kris/pensive-margulis-865e80
May 21, 2026
Merged

enforce 5 MB default file-size limit on get_component_file#710
kriszyp merged 1 commit into
mainfrom
kris/pensive-margulis-865e80

Conversation

@kriszyp
Copy link
Copy Markdown
Member

@kriszyp kriszyp commented May 21, 2026

Closes #600.

Summary

  • get_component_file now refuses files larger than a configurable limit, returning HTTP 413 with a clear error message.
  • Default limit: 5 MB (5 * 1024 * 1024 bytes).
  • Operators can override via operationsApi.componentFile.maxSize (bytes) in harperdb-config.yaml.

Changes

  • components/operations.js — read config value, validate it (guard against non-numeric), check stats.size before readFile; compute file path once (DRY)
  • utility/errors/commonErrors.ts — add CONTENT_TOO_LARGE: 413 status code; add COMPONENT_FILE_TOO_LARGE error message
  • utility/hdbTerms.ts — add OPERATIONSAPI_COMPONENTFILE_MAXSIZE config param
  • config-root.schema.json — document operationsApi.componentFile.maxSize
  • unitTests/server/fastifyRoutes/operations.test.js — add test for the 413 rejection path

Notes for reviewer

  • Cross-model review (Codex + Gemini) raised a TOCTOU concern (stat then readFile race). Risk is low here — component directories are admin-controlled — but worth a follow-up hardening issue if desired.
  • Path traversal via project is a pre-existing gap in getComponentFileValidator (not introduced here); flagged separately.

Generated by Claude Sonnet 4.6.

@kriszyp @claude
enforce 5 MB default file-size limit on get_component_file (#600)
f17afc1 
Files over the limit return HTTP 413 with a clear message. Operators can
raise the cap via operationsApi.componentFile.maxSize in harperdb-config.yaml.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude
Copy link
Copy Markdown
Contributor

claude Bot commented May 21, 2026

Reviewed; no blockers found.

@kriszyp kriszyp merged commit 974cf40 into main May 21, 2026
36 of 37 checks passed
@kriszyp kriszyp deleted the kris/pensive-margulis-865e80 branch May 21, 2026 23:43
@kriszyp kriszyp mentioned this pull request May 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ethan-Arrowood Ethan-Arrowood Ethan-Arrowood approved these changes

@DavidCockerill DavidCockerill Awaiting requested review from DavidCockerill

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

get_component_file: enforce a file-size limit (default 5 MB)

2 participants

@kriszyp @Ethan-Arrowood