Skip to content

fix: enforce 100kb payload limit on express.json and handle 413s#1288

Open
SharifIbrahimDev wants to merge 1 commit into
LabsCrypt:mainfrom
SharifIbrahimDev:fix/request-size-limit
Open

fix: enforce 100kb payload limit on express.json and handle 413s#1288
SharifIbrahimDev wants to merge 1 commit into
LabsCrypt:mainfrom
SharifIbrahimDev:fix/request-size-limit

Conversation

@SharifIbrahimDev

Copy link
Copy Markdown

Closes #1184

What does this PR do?

This PR enforces an explicit 100kb payload size limit on express.json() and correctly handles resulting entity.too.large errors so they return a structured 413 response rather than defaulting to an unhandled 500 error.

Description

  • Explicit Size Limit: Added an explicit { limit: '100kb' } configuration to express.json() in app.ts. This protects the application and audit logs from unbounded payload sizes, while remaining more than generous enough to accommodate legitimate signed transaction payloads.
  • Centralized Error Handling: Updated errorHandler.ts to natively catch entity.too.large errors emitted by body-parser and translate them into standard 413 Payload Too Large responses with the VALIDATION_ERROR code.
  • Test Coverage: Added an integration test in errorHandling.test.ts to assert that a 150kb payload correctly trips the limit and returns the structured 413 error.
  • Documentation: Added inline comments describing the rationale behind the payload limit in app.ts.

@ogazboiz

ogazboiz commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

the payload-limit code is correct: express.json({ limit: "100kb" }) in app.ts, and errorHandler returns a structured 413 on entity.too.large, placed before the generic 500 so the body-parser error reaches it. the errorHandling suite passes 15/15 including the new over-limit test, and the app never uses urlencoded parsing so there's no gap there. two things:

  1. the branch is stale (behind main, pre-esm-conversion), so the red ci is stale-base not your change. please rebase: git fetch origin && git rebase origin/main && git push --force-with-lease.
  2. drop the stray pr_body_1184.md from the repo root.

rebase + drop the md and this is good.

if you want to keep contributing, join us on Telegram: https://t.me/+DOylgFv1jyJlNzM0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Backend] No explicit request body-size limit configured on express.json(); relies on undocumented 100kb default with no 413 handling test

2 participants