frank/cookslate
frank/cookslate
1
0
Fork 0
Code Issues 50 Pull requests Projects Releases Packages Wiki Activity Actions

Security: ImageProcessor.processFromUrl() missing download size check #48

New issue
Open
opened 2026-04-22 00:34:57 +00:00 by frank · 0 comments
frank commented 2026-04-22 00:34:57 +00:00
Owner
Copy link

Direct uploads enforce a 10MB MAX_UPLOAD_SIZE limit, but processFromUrl() downloads images from URLs without checking file size. Could be used to exhaust disk space.

Fix: Add Content-Length check or stream-with-limit when downloading from URL.

Files: api/services/ImageProcessor.php
Tech debt: TD11 | Security audit: related to INP03

Direct uploads enforce a 10MB MAX_UPLOAD_SIZE limit, but processFromUrl() downloads images from URLs without checking file size. Could be used to exhaust disk space. Fix: Add Content-Length check or stream-with-limit when downloading from URL. Files: api/services/ImageProcessor.php Tech debt: TD11 | Security audit: related to INP03
frank added this to the Launch Prep milestone 2026-04-22 00:34:57 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

Something isnt working

  
deferred

Intentionally deferred, revisit later

  
documentation

Documentation improvements

  
enhancement

New feature or request

  
feature

New feature or capability

  
infra

Infrastructure, deployment, monitoring

  
integration

Third-party integrations and imports

  
marketing

Marketing, community, and outreach

  
priority:high

High priority

  
priority:low

Low priority

  
priority:medium

Medium priority

  
Pro

Pro/Household tier feature

  
security

Security-related item

  
UX

User experience improvement

No labels
bug
deferred
documentation
enhancement
feature
infra
integration
marketing
priority:high
priority:low
priority:medium
Pro
security
UX
Milestone
Clear milestone
No items
No milestone
Launch Prep
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
frank/cookslate#48
No description provided.