security: add file size (10MB) and row count (500k) limits to upload route

- Reject uploads larger than 10MB before reading file content - Reject CSVs with more than 500,000 data rows after parsing - Checks placed as early as possible in the handler flow - Mark task 2.3 as done in tasks.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-18 11:01:02 +01:00 · 2026-02-18 11:01:02 +01:00 · 0e239dc3da
commit 0e239dc3da
parent 67dd7aa2f0
2 changed files with 21 additions and 1 deletions
--- a/src/app/api/upload/route.ts
+++ b/src/app/api/upload/route.ts
@ -36,6 +36,14 @@ export async function POST(request: NextRequest): Promise<NextResponse> {
      );
    }

+    const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+    if (file.size > MAX_FILE_SIZE) {
+      return NextResponse.json(
+        { error: 'File too large. Maximum size is 10MB.' },
+        { status: 400 }
+      );
+    }
+
    const text = await file.text();

    // Derive chart name from filename (strip .csv extension)
@ -50,6 +58,18 @@ export async function POST(request: NextRequest): Promise<NextResponse> {
          try {
            const rows = results.data as any[];

+            // Validate row count
+            const MAX_ROWS = 500000;
+            if (rows.length > MAX_ROWS) {
+              resolve(
+                NextResponse.json(
+                  { error: 'File contains too many rows. Maximum is 500,000.' },
+                  { status: 400 }
+                )
+              );
+              return;
+            }
+
            // Validate headers
            if (rows.length === 0) {
              resolve(