Full document, spreadsheet, slideshow, and diagram tooling
Merge pull request 'fix(server): key sync size limit and version metadata JSON safety (#523 #530)' (#338) from fix/server-security-batch4 into main
+10
-1
+9
server/routes/documents.ts
+9
server/routes/documents.ts
···
55
55
}
56
56
});
57
57
58
+
const MAX_KEY_PAYLOAD_BYTES = 10 * 1024; // 10KB limit for key sync payloads
59
+
58
60
router.put('/api/keys', (req: Request & { tsUser?: TailscaleUser | null }, res: Response) => {
59
61
if (!req.tsUser) { res.status(403).json({ error: 'Authentication required' }); return; }
62
+
63
+
// Size limit to prevent abuse (#523)
64
+
const bodySize = JSON.stringify(req.body).length;
65
+
if (bodySize > MAX_KEY_PAYLOAD_BYTES) {
66
+
res.status(413).json({ error: 'Key payload too large (max 10KB)' }); return;
67
+
}
68
+
60
69
const incoming = req.body?.keys;
61
70
if (!incoming || typeof incoming !== 'object' || Array.isArray(incoming)) {
62
71
res.status(400).json({ error: 'keys must be an object' }); return;
+1
-1
server/routes/versions.ts
+1
-1
server/routes/versions.ts
···
15
15
const versions = stmts.getVersions.all(req.params.id) as VersionRow[];
16
16
res.json(versions.map(v => ({
17
17
...v,
18
-
metadata: v.metadata ? JSON.parse(v.metadata) as unknown : null,
18
+
metadata: v.metadata ? (() => { try { return JSON.parse(v.metadata) as unknown; } catch { return null; } })() : null,
19
19
})));
20
20
});
21
21