Request body size limit can be bypassed via chunked transfer encoding

[luandro]

Description

The MAX_REQUEST_SIZE (1MB) check in api-server/request-handler.ts only relies on the Content-Length header:

const contentLength = req.headers.get("content-length");
if (
  contentLength !== null &&
  parseInt(contentLength, 10) > MAX_REQUEST_SIZE
) {
  // ... reject
}

Requests without this header (e.g., chunked transfer encoding) bypass the check entirely. Subsequent req.json() calls could read oversized bodies into memory.

Impact

• Memory exhaustion: Malicious requests can send arbitrarily large payloads
• Denial of service: Server memory can be exhausted by multiple large requests
• Security risk: Bypasses intended request size limits

Recommendation

Implement runtime body size streaming checks to prevent unbounded memory consumption:

1. Use a streaming approach that tracks bytes read
2. Reject requests that exceed the limit during streaming
3. Consider using Bun's built-in request body size limiting features

Related

#147 (API Server Enhancements: Memory Consumption)

Priority

Medium - Security/reliability concern but requires specific attack vector