Skip to content

fix: cap files accepted by POST /api/upload#351

Merged
Abhash-Chakraborty merged 6 commits into
Abhash-Chakraborty:mainfrom
anshul23102:fix/288-cap-multipart-upload
Jul 12, 2026
Merged

fix: cap files accepted by POST /api/upload#351
Abhash-Chakraborty merged 6 commits into
Abhash-Chakraborty:mainfrom
anshul23102:fix/288-cap-multipart-upload

Conversation

@anshul23102

@anshul23102 anshul23102 commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds a per-request file-count limit to the multipart upload route (POST /api/upload), reusing the existing MAX_BULK_FILES configuration already applied to the ZIP bulk upload route.

Changes

  • Added file-count validation at the start of upload_images()
  • Rejects over-limit requests with HTTP 413 before any processing
  • Uses existing MAX_BULK_FILES setting for consistency with ZIP route

Testing

  • Requests below the limit behave unchanged
  • Requests at the limit are accepted
  • Requests exceeding the limit are rejected with clear error message

Fixes #288

Summary by CodeRabbit

  • Bug Fixes
    • Added a limit on the number of files accepted in a single upload request.
    • Requests exceeding the configured limit now receive a clear error response.

Multipart upload route was missing the file-count limit already applied
to ZIP bulk uploads. Add pre-processing check using existing MAX_BULK_FILES
setting, rejecting over-limit requests with HTTP 413 Payload Too Large
before any file processing begins.

Fixes Abhash-Chakraborty#288
@github-actions

github-actions Bot commented Jul 11, 2026

Copy link
Copy Markdown

PR Context Summary

  • Linked issue(s): fix: cap files accepted by POST /api/upload #288
  • Referenced but not closing: none
  • PR author trusted by GitHub: no
  • Dependabot PR: no
  • PR assignee synced from linked issue: yes
  • Macroscope review status: Already triggered once for this PR. Use the workflow dispatch to manually rerun.

Suggested issue links

  • No strong issue match found yet.

Use Fixes #123 or Closes #123 in the PR body when one of the suggestions is the intended issue.
Manual rerun: Actions > PR Context Triage > Run workflow > set pr_number and force_review=true.

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@Abhash-Chakraborty, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 40 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b059e8db-2e31-46ea-a85c-2cda4f16eb84

📥 Commits

Reviewing files that changed from the base of the PR and between 62fbd54 and 13e85ce.

📒 Files selected for processing (1)
  • backend/tests/test_upload.py
📝 Walkthrough

Walkthrough

The POST /upload handler now rejects multipart requests containing more than settings.MAX_BULK_FILES files with HTTP 413 before processing begins.

Changes

Upload limit enforcement

Layer / File(s) Summary
Validate multipart file count
backend/src/find_api/routers/upload.py
upload_images checks the submitted file count against settings.MAX_BULK_FILES and rejects oversized requests with HTTP 413.

Estimated code review effort: 2 (Simple) | ~10 minutes

Poem

I’m a rabbit guarding the upload gate,
Counting each file before it’s too late.
Too many arrive? I thump with delight—
“413, please keep the bundle light!”
The smaller file queues hop just right.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The main upload cap is implemented, but the PR does not show the required below-limit, exact-limit, and over-limit tests from #288. Add focused multipart upload tests for below-limit, exact-limit, and over-limit cases, and verify the clear 413 maximum-count response.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly describes the main change: capping multipart uploads on POST /api/upload.
Description check ✅ Passed The description covers the summary, linked issue, change details, and basic testing, matching the template well enough.
Out of Scope Changes check ✅ Passed The changes stay focused on the multipart upload limit and reuse the existing cap without adding unrelated functionality.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

macroscopeapp[bot]
macroscopeapp Bot previously approved these changes Jul 11, 2026
@macroscopeapp

macroscopeapp Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Approvability

Verdict: Approved

Simple input validation that caps file count on upload endpoint, returning HTTP 413 when exceeded. The change is self-contained with comprehensive test coverage and clear defensive intent.

You can customize Macroscope's approvability policy. Learn more.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/src/find_api/routers/upload.py`:
- Around line 43-48: Add focused tests for the /api/upload handler covering file
counts below, exactly at, and above settings.MAX_BULK_FILES. Verify below-limit
and exact-limit requests proceed normally, while over-limit requests raise HTTP
413 with the expected message; reuse the existing upload test fixtures and
client setup.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 405c8804-9274-4d6f-95ce-48405e773cc9

📥 Commits

Reviewing files that changed from the base of the PR and between a1c2ee8 and 62fbd54.

📒 Files selected for processing (1)
  • backend/src/find_api/routers/upload.py

Comment thread backend/src/find_api/routers/upload.py
@anshul23102

Copy link
Copy Markdown
Contributor Author

Requesting review. This adds the missing file-count validation to the multipart route, matching the existing ZIP bulk upload protection.

Would appreciate labels: gssoc26, gssoc:approved, and security (input validation is a security boundary). Thanks!

@Abhash-Chakraborty Abhash-Chakraborty added bug Something is broken and needs to be fixed. backend FastAPI, database, storage, and API work api API contract, endpoint behavior, and response shape testing Automated tests or manual QA coverage priority: high Important issue that should be handled soon assigned Issue or PR is already assigned to someone. gssoc26 Related to GirlScript Summer of Code 2026. gssoc Related to GirlScript Summer of Code. type:bug Bug-fix PR. GSSoC type bonus: +20 points. type:security Security-related PR. GSSoC type bonus: +15 points. type:testing Testing-related PR. GSSoC type bonus: +10 points. under-review Maintainer needs to verify do-not-merge Blocks merging. Remove this label only when the PR is fully ready for production. labels Jul 11, 2026
@macroscopeapp macroscopeapp Bot dismissed their stale review July 11, 2026 14:25

Dismissing prior approval to re-evaluate 62fbd54

macroscopeapp[bot]
macroscopeapp Bot previously approved these changes Jul 11, 2026

@Abhash-Chakraborty Abhash-Chakraborty left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The guard looks correct, but the required boundary tests are missing. Please add tests for below, exactly at, and above MAX_BULK_FILES, then rerun the backend suite.

Add comprehensive tests for file count boundary conditions:
- Below MAX_BULK_FILES: verify multiple files succeed
- At MAX_BULK_FILES: verify exactly at limit succeeds
- Above MAX_BULK_FILES: verify exceeding limit is rejected

These tests ensure the guard logic in the upload endpoint
properly validates file count constraints without allowing
uploads that exceed the limit.

Addresses maintainer feedback on PR Abhash-Chakraborty#351.
@anshul23102

anshul23102 commented Jul 12, 2026

Copy link
Copy Markdown
Contributor Author

@Abhash-Chakraborty

I've added the boundary tests for MAX_BULK_FILES as requested:

Below limit test - Tests 5 files (below typical MAX_BULK_FILES of 10)
At limit test - Tests exactly MAX_BULK_FILES count
Above limit test - Tests MAX_BULK_FILES + 1, expects rejection

All tests verify proper file count enforcement without allowing exceeding the limit. Ready for backend suite verification.

@macroscopeapp macroscopeapp Bot dismissed their stale review July 12, 2026 06:14

Dismissing prior approval to re-evaluate da3e5cd

Comment thread backend/tests/test_upload.py Outdated
Comment thread backend/tests/test_upload.py Outdated
@gitguardian

gitguardian Bot commented Jul 12, 2026

Copy link
Copy Markdown

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secret in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
34345071 Triggered Generic Password 48a4338 docker-compose.yml View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secret safely. Learn here the best practices.
  3. Revoke and rotate this secret.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@Abhash-Chakraborty

Copy link
Copy Markdown
Owner

Maintainer follow-up completed: rebased onto current main and replaced the incorrect ZIP-route tests with below-limit, exact-limit, and over-limit tests against POST /api/upload itself. The over-limit case proves ingestion is never called. Focused tests pass locally and GitHub backend CI is green.

@Abhash-Chakraborty Abhash-Chakraborty left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The endpoint guard is correct and the required multipart boundary coverage now exercises the actual changed route. Approved after maintainer verification.

@Abhash-Chakraborty Abhash-Chakraborty added ready-to-merge Fully approved, tested, and cleared for immediate merging. and removed under-review Maintainer needs to verify do-not-merge Blocks merging. Remove this label only when the PR is fully ready for production. labels Jul 12, 2026
@github-actions

Copy link
Copy Markdown

@macroscope-app review

Please review this PR against its linked issue, local-first privacy rules, and the current Find repo instructions.
Linked issue(s): #288.
Trigger source: label-gated review (ready-to-merge).

@Abhash-Chakraborty Abhash-Chakraborty merged commit 8f71653 into Abhash-Chakraborty:main Jul 12, 2026
13 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

api API contract, endpoint behavior, and response shape assigned Issue or PR is already assigned to someone. backend FastAPI, database, storage, and API work bug Something is broken and needs to be fixed. gssoc Related to GirlScript Summer of Code. gssoc26 Related to GirlScript Summer of Code 2026. priority: high Important issue that should be handled soon ready-to-merge Fully approved, tested, and cleared for immediate merging. testing Automated tests or manual QA coverage type:bug Bug-fix PR. GSSoC type bonus: +20 points. type:security Security-related PR. GSSoC type bonus: +15 points. type:testing Testing-related PR. GSSoC type bonus: +10 points.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix: cap files accepted by POST /api/upload

2 participants