DocFast session 126: BUG-101 discovered & fixed, 468 tests
This commit is contained in:
Hoid
parent
a9a6dc1e13
commit
b5acf9b792
3 changed files with 28 additions and 2 deletions
|
|
@ -1,3 +1,14 @@
|
|||
## BUG-101: Body size limits on demo and convert routes are ineffective — global parser runs first
|
||||
- **Date:** 2026-03-04
|
||||
- **Severity:** MEDIUM
|
||||
- **Issue:** In `src/index.ts`, the global `express.json({ limit: "2mb" })` middleware (line ~85) runs BEFORE route-specific parsers. Express only parses the body once — the first matching parser wins. So the route-specific limits never fire:
|
||||
- Demo route: `express.json({ limit: "50kb" })` — INEFFECTIVE, actually allows 2MB
|
||||
- Convert routes: `express.json({ limit: "500kb" })` — INEFFECTIVE, actually allows 2MB
|
||||
- **Impact:** Demo users (unauthenticated) can send 2MB payloads instead of 50KB — free resource abuse vector. Authenticated users can send 2MB instead of 500KB.
|
||||
- **Verified:** Sent 52KB payload to `/v1/demo/html` on production — got HTTP 200 instead of expected 413.
|
||||
- **Fix:** Remove global JSON parser, apply route-specific parsers before each route group with correct limits.
|
||||
- **Status:** ✅ FIXED — commit c03f217. Removed global `express.json()`, applied route-specific parsers per-route. 4 TDD tests added (body-limits.test.ts). 468 tests total, all passing. Pushed to main (staging auto-deploy).
|
||||
|
||||
## BUG-100: Usage flush transaction error handling broken — one bad key poisons entire batch
|
||||
- **Date:** 2026-03-04
|
||||
- **Severity:** MEDIUM
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue