Description
The /scan endpoint has no maximum file size enforced. A user can upload an arbitrarily large ZIP (e.g. a 2GB repo archive), which will either exhaust memory during extraction, fill the disk, or block the entire server process for other users. FastAPI does not enforce upload limits by default.
What to implement
- Add a configurable max upload size via env var MAX_UPLOAD_MB (default: 100)
- Reject uploads exceeding the limit with 413 Request Entity Too Large before reading the file into memory
- Document MAX_UPLOAD_MB in backend/README.md under configuration
Acceptance criteria
- Uploading a file over the limit returns 413 with message "File too large. Maximum upload size is {MAX_UPLOAD_MB}MB."
- Limit is configurable without code changes via env var
- File is rejected before being written to disk
Description
The /scan endpoint has no maximum file size enforced. A user can upload an arbitrarily large ZIP (e.g. a 2GB repo archive), which will either exhaust memory during extraction, fill the disk, or block the entire server process for other users. FastAPI does not enforce upload limits by default.
What to implement
Acceptance criteria