security: add file size (10MB) and row count (500k) limits to upload route

- Reject uploads larger than 10MB before reading file content - Reject CSVs with more than 500,000 data rows after parsing - Checks placed as early as possible in the handler flow - Mark task 2.3 as done in tasks.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-18 11:01:02 +01:00 · 2026-02-18 11:01:02 +01:00 · 0e239dc3da
commit 0e239dc3da
parent 67dd7aa2f0
2 changed files with 21 additions and 1 deletions
--- a/openspec/changes/code-review-fix/tasks.md
+++ b/openspec/changes/code-review-fix/tasks.md
@ -13,7 +13,7 @@

 - [x] 2.1 `[haiku]` Validate `run_id` matches `/^[a-zA-Z0-9_-]+$/` in `src/app/api/training/runs/[run_id]/route.ts` before interpolation
 - [x] 2.2 `[sonnet]` Validate `run_id` format and use `Path.resolve()` + directory containment check in `services/ml/app/main.py` (model load at line 1203, delete at line 1312)
- [ ] 2.3 `[sonnet]` Add file size check (reject >10MB) and row count limit (500,000) to `src/app/api/upload/route.ts`
+- [x] 2.3 `[sonnet]` Add file size check (reject >10MB) and row count limit (500,000) to `src/app/api/upload/route.ts`
 - [ ] 2.4 `[haiku]` Add file type validation (`.csv` extension, text MIME type) to `src/app/api/upload/route.ts`
 - [ ] 2.5 `[haiku]` Fix CORS in `services/ml/app/main.py`: replace `allow_origins=["*"]` with `["http://localhost:3000"]` and support `CORS_ORIGINS` env var

--- a/src/app/api/upload/route.ts
+++ b/src/app/api/upload/route.ts
@ -36,6 +36,14 @@ export async function POST(request: NextRequest): Promise<NextResponse> {
      );
    }

+    const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+    if (file.size > MAX_FILE_SIZE) {
+      return NextResponse.json(
+        { error: 'File too large. Maximum size is 10MB.' },
+        { status: 400 }
+      );
+    }
+
    const text = await file.text();

    // Derive chart name from filename (strip .csv extension)
@ -50,6 +58,18 @@ export async function POST(request: NextRequest): Promise<NextResponse> {
          try {
            const rows = results.data as any[];

+            // Validate row count
+            const MAX_ROWS = 500000;
+            if (rows.length > MAX_ROWS) {
+              resolve(
+                NextResponse.json(
+                  { error: 'File contains too many rows. Maximum is 500,000.' },
+                  { status: 400 }
+                )
+              );
+              return;
+            }
+
            // Validate headers
            if (rows.length === 0) {
              resolve(