Skip to content

[MEDIUM] AI service has no request body size limit #137

Closed
#192
Closed
[MEDIUM] AI service has no request body size limit#137
#192
Assignees
gbengaeben
Labels
GrantFox OSSIssue tracked in GrantFox OSSMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial CampaignCampaign: Official CampaignmediumsecuritySecurity vulnerabilities and hardening

Description

@kilodesodiq-arch
kilodesodiq-arch
opened on Jun 15, 2026

Engineering Gap

FastAPI application in app/ai-service/main.py has no request body size limit configured. Large payloads (malicious or accidental) could exhaust memory.

Codebase Evidence

  • app/ai-service/main.py line 76-83: FastAPI app created without max_request_body_size or middleware
  • No ASGI middleware for body size limiting

Risk Profile

Memory exhaustion from large request bodies. DoS vector.

Remediation Strategy

Add ASGI middleware or Uvicorn configuration to limit request body size (e.g., 10MB). Return 413 for oversized requests.

Success Conditions

  • Request body size limit enforced
  • 413 response for oversized requests
  • Limit documented

Change Surface

Files: main.py, Uvicorn config

Security Review

Mitigates DoS via large payloads.

Completion Checklist

  • Implementation completed
  • Peer reviewed
  • Tests passing
  • Ready for merge

Metadata

Metadata

Assignees

Labels

GrantFox OSSIssue tracked in GrantFox OSSMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial CampaignCampaign: Official CampaignmediumsecuritySecurity vulnerabilities and hardening

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions