Summary
apps/commandboard-api/src/index.ts readJson() (line 314) reads the entire request body into memory with no size limit. Additionally, the /api/plugins/c0mpute/jobs/dispatch endpoint (line 264) and /api/plugins/c0mpute/quotes (line 280) call readJson() outside a try/catch, so a malformed JSON body would crash with an unhandled exception rather than returning a 400 error.
Impact
- Denial of service: An attacker can send an arbitrarily large payload to any POST endpoint, causing out-of-memory crashes.
- Server crash: Malformed JSON to
/dispatch or /quotes crashes the process instead of returning 400.
Suggested Fix
- Add a body size limit (e.g., 1MB) to
readJson():
const MAX_BODY = 1_048_576; // 1 MB
let total = 0;
for await (const chunk of request) {
total += chunk.length;
if (total > MAX_BODY) throw new Error("Request body too large");
chunks.push(Buffer.from(chunk));
}
- Wrap the
readJson() calls at lines 264 and 280 in try/catch like lines 108 and 234.
Severity: High
Summary
apps/commandboard-api/src/index.tsreadJson()(line 314) reads the entire request body into memory with no size limit. Additionally, the/api/plugins/c0mpute/jobs/dispatchendpoint (line 264) and/api/plugins/c0mpute/quotes(line 280) callreadJson()outside a try/catch, so a malformed JSON body would crash with an unhandled exception rather than returning a 400 error.Impact
/dispatchor/quotescrashes the process instead of returning 400.Suggested Fix
readJson():readJson()calls at lines 264 and 280 in try/catch like lines 108 and 234.Severity: High