fix: enforce request size limits for uploads

[Aaravanand00]

Closes #40

This PR introduces request size protections to prevent unbounded file uploads in the Flask backend.

Changes

• Enforced Flask MAX_CONTENT_LENGTH with a default limit of 500 MB
• Added support for overriding the limit via environment variable UPLOAD_MAX_SIZE
• Implemented a global 413 error handler for oversized uploads
• Added file size validation before saving uploaded files
• Added cumulative size checks for chunked uploads
• Added safety checks for ZIP extraction by validating total uncompressed size

Security & Stability Improvements

• Prevents memory exhaustion from very large uploads
• Reduces risk of ZIP bomb attacks
• Improves backend stability for production deployments

Configuration

The upload size limit can be overridden using:

UPLOAD_MAX_SIZE=524288000

If not provided, the default limit of 500 MB is used.

No breaking API changes were introduced.

[Aaravanand00]

Hi @VedranKapor ,

I worked on this issue by introducing request size protections to prevent unbounded uploads in the Flask backend.

Approach

The application currently sets MAX_CONTENT_LENGTH = None, which disables Flask’s built-in protection. I replaced this with a safer default and added additional validation around the upload logic.

Testing

I tested the changes locally by:

• Running the backend with python app.py
• Uploading small files (~1 MB) to confirm normal uploads work
• Uploading larger files (~600 MB) to confirm they are rejected with HTTP 413
• Testing the UPLOAD_MAX_SIZE environment override
• Verifying that ZIP files exceeding the uncompressed size threshold are blocked

While testing on Windows, I also adjusted the ZIP deletion logic to avoid file locking when rejecting oversized archives.

Overall, the goal was to add reasonable protections while keeping the existing API behavior unchanged.

Happy to adjust anything if you prefer a different approach.