From e07d1ae4af3dbff99fef3f9dd0c07e7b93348e63 Mon Sep 17 00:00:00 2001 From: KernelDeimos <7225168+KernelDeimos@users.noreply.github.com> Date: Fri, 9 Jan 2026 16:22:31 -0500 Subject: [PATCH] dev(backend): limit thumbnail size from client There was a configuration parameter for this but it isn't being used and has the incorrect name in `config.js`. I decided to keep the old check here anyway because having support to configure a lower size limit could come in handy. I set the limit to 2MiB through the following logic: - largest icon size I've ever heard of is 512px - 512*512*4 (4 color channels) is 1048576 (1MiB) - increase to next MiB just to be safe --- .../src/filesystem/hl_operations/hl_write.js | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/backend/src/filesystem/hl_operations/hl_write.js b/src/backend/src/filesystem/hl_operations/hl_write.js index c2adefece..9cd5bcdf6 100644 --- a/src/backend/src/filesystem/hl_operations/hl_write.js +++ b/src/backend/src/filesystem/hl_operations/hl_write.js @@ -34,6 +34,9 @@ const { MkTree } = require('./hl_mkdir'); const { Actor } = require('../../services/auth/Actor'); const { LLCWrite, LLOWrite } = require('../ll_operations/ll_write'); +// 2 MiB limit for client-provided thumbnails +const MAX_THUMBNAIL_SIZE = 2 * 1024 * 1024; + class WriteCommonFeature { install_in_instance (instance) { instance._verify_size = async function () { @@ -46,6 +49,20 @@ class WriteCommonFeature { }); } + if ( + this.values.thumbnail && + typeof this.values.thumbnail === 'string' + ) { + const RATIO = 4 / 3; // 4 bytes per 3 base64 characters + const decoded_size = Math.ceil(this.values.thumbnail.length * RATIO); + if ( decoded_size > MAX_THUMBNAIL_SIZE ) { + throw APIError.create('thumbnail_too_large', null, { + max_size: MAX_THUMBNAIL_SIZE, + }); + } + } + + // configured thumbnail size limit (can be lower than MAX_THUMBNAIL_SIZE) if ( this.values.thumbnail && this.values.thumbnail.size > config.max_thumbnail_size