fix(fetchers): harden youtube transcript handling by chaliy · Pull Request #110 · everruns/fetchkit

chaliy · 2026-05-17T16:46:02Z

The YouTube timedtext transcript path previously fetched and built unbounded transcript text and then truncated with a byte-indexed slice, allowing excessive memory use and a panic on UTF-8 multibyte boundaries which can cause a denial-of-service.

Pass options.max_body_size into fetch_transcript(...) and bail out when the timedtext XML exceeds the configured cap to avoid unbounded memory use.
Introduce MAX_TRANSCRIPT_CHARS and replace unsafe byte-slicing truncation with a safe_truncate_utf8 helper to guarantee UTF-8-safe truncation in format_youtube_response.
Keep transcript parsing logic but enforce the size check before joining segments and return None on oversized payloads.
Add a regression unit test test_safe_truncate_utf8_multibyte_boundary that validates truncation does not cut inside a multibyte code point.

Ran cargo fmt --all to format changes successfully.
Ran cargo test -p fetchkit test_format_youtube_response_truncates_long_transcript and it passed.
Ran cargo test -p fetchkit test_safe_truncate_utf8_multibyte_boundary and it passed.

…ulnerability

fix(fetchers): harden youtube transcript handling

8c6ca03

chaliy added aardvark codex labels May 17, 2026 — with ChatGPT Codex Connector

chaliy added the aardvark label May 17, 2026

chaliy added 2 commits May 17, 2026 12:27

Merge branch 'main' into 2026-05-17-fix-youtube-transcript-handling-v…

f857b98

…ulnerability

Merge branch 'main' into 2026-05-17-fix-youtube-transcript-handling-v…

abdfde7

…ulnerability

chaliy merged commit 7cb86ed into main May 17, 2026
11 checks passed

chaliy deleted the 2026-05-17-fix-youtube-transcript-handling-vulnerability branch May 17, 2026 17:38

Provide feedback