fix: cap files accepted by POST /api/upload#351
Conversation
Multipart upload route was missing the file-count limit already applied to ZIP bulk uploads. Add pre-processing check using existing MAX_BULK_FILES setting, rejecting over-limit requests with HTTP 413 Payload Too Large before any file processing begins. Fixes Abhash-Chakraborty#288
PR Context Summary
Suggested issue links
Use |
|
Warning Review limit reached
Next review available in: 40 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe ChangesUpload limit enforcement
Estimated code review effort: 2 (Simple) | ~10 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
ApprovabilityVerdict: Approved Simple input validation that caps file count on upload endpoint, returning HTTP 413 when exceeded. The change is self-contained with comprehensive test coverage and clear defensive intent. You can customize Macroscope's approvability policy. Learn more. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@backend/src/find_api/routers/upload.py`:
- Around line 43-48: Add focused tests for the /api/upload handler covering file
counts below, exactly at, and above settings.MAX_BULK_FILES. Verify below-limit
and exact-limit requests proceed normally, while over-limit requests raise HTTP
413 with the expected message; reuse the existing upload test fixtures and
client setup.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 405c8804-9274-4d6f-95ce-48405e773cc9
📒 Files selected for processing (1)
backend/src/find_api/routers/upload.py
|
Requesting review. This adds the missing file-count validation to the multipart route, matching the existing ZIP bulk upload protection. Would appreciate labels: |
Dismissing prior approval to re-evaluate 62fbd54
Abhash-Chakraborty
left a comment
There was a problem hiding this comment.
The guard looks correct, but the required boundary tests are missing. Please add tests for below, exactly at, and above MAX_BULK_FILES, then rerun the backend suite.
Add comprehensive tests for file count boundary conditions: - Below MAX_BULK_FILES: verify multiple files succeed - At MAX_BULK_FILES: verify exactly at limit succeeds - Above MAX_BULK_FILES: verify exceeding limit is rejected These tests ensure the guard logic in the upload endpoint properly validates file count constraints without allowing uploads that exceed the limit. Addresses maintainer feedback on PR Abhash-Chakraborty#351.
|
I've added the boundary tests for MAX_BULK_FILES as requested: Below limit test - Tests 5 files (below typical MAX_BULK_FILES of 10) All tests verify proper file count enforcement without allowing exceeding the limit. Ready for backend suite verification. |
Dismissing prior approval to re-evaluate da3e5cd
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 34345071 | Triggered | Generic Password | 48a4338 | docker-compose.yml | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
|
Maintainer follow-up completed: rebased onto current main and replaced the incorrect ZIP-route tests with below-limit, exact-limit, and over-limit tests against POST /api/upload itself. The over-limit case proves ingestion is never called. Focused tests pass locally and GitHub backend CI is green. |
Abhash-Chakraborty
left a comment
There was a problem hiding this comment.
The endpoint guard is correct and the required multipart boundary coverage now exercises the actual changed route. Approved after maintainer verification.
|
@macroscope-app review Please review this PR against its linked issue, local-first privacy rules, and the current Find repo instructions. |
8f71653
into
Abhash-Chakraborty:main
Summary
Adds a per-request file-count limit to the multipart upload route (
POST /api/upload), reusing the existingMAX_BULK_FILESconfiguration already applied to the ZIP bulk upload route.Changes
upload_images()MAX_BULK_FILESsetting for consistency with ZIP routeTesting
Fixes #288
Summary by CodeRabbit