HIGH: No explicit JSON body size limit on express.json() - default 100KB #74
Labels
No Label
architecture
backend
bug
feature
frontend
priority:critical
priority:high
priority:low
priority:medium
priority:nice-to-have
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/BillTracker#74
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Bug Description
server.js:32 uses app.use(express.json()) without an explicit limit option, defaulting to Expresss 100KB body size limit. While import routes override this (2MB, 10MB), all other routes are capped at 100KB.
This could cause cryptic 413 Payload Too Large errors for legitimate admin operations with extensive data, or any future endpoint that accepts larger payloads.
Affected Files
Impact
Unexpected 413 errors on legitimate large payloads with unclear error messages.
Recommended Fix
Set an explicit limit: app.use(express.json({ limit: 1mb })) or similar, matching the applications expected payload sizes.
closed v0.34.2.1