[PR #2575] [MERGED] fix(security): prevent file size limit bypass via import (GHSA-qh78-rvg3-cv54) #5742

New Issue

GiteaMirror · 2026-04-16T13:50:54-05:00

GiteaMirror commented

2026-04-16 13:50:54 -05:00

📋 Pull Request Information

Original PR: https://github.com/go-vikunja/vikunja/pull/2575
Author: @tink-bot
Created: 4/9/2026
Status: ✅ Merged
Merged: 4/9/2026
Merged by: @kolaente

Base: main ← Head: fix-import-file-size-bypass

📝 Commits (6)

30bf9f5 fix(files): derive file size from reader at creation boundary
3d0c343 refactor(files): derive attachment size from content in sibling callers
42f93dd fix(migration): compute attachment size from content during import
3f47e2c fix(migration): bound per-entry zip cap by configured files.maxsize
d754c1a test(migration): regression test for forged attachment size
d5dd913 test(todoist): serve attachment from local test server

📊 Changes

10 files changed (+244 additions, -25 deletions)

View changed files

📝 pkg/files/files.go (+48 -3)
📝 pkg/files/files_test.go (+54 -3)
📝 pkg/models/project_duplicate.go (+1 -1)
📝 pkg/models/task_attachment_test.go (+3 -2)
📝 pkg/models/task_duplicate.go (+1 -1)
📝 pkg/modules/migration/create_from_structure.go (+6 -2)
📝 pkg/modules/migration/todoist/todoist.go (+1 -1)
📝 pkg/modules/migration/todoist/todoist_test.go (+21 -4)
📝 pkg/modules/migration/vikunja-file/vikunja.go (+36 -8)
📝 pkg/modules/migration/vikunja-file/vikunja_test.go (+73 -0)

📄 Description

The Vikunja file import endpoint trusted the attacker-supplied Size field from the JSON metadata inside the import zip when enforcing files.maxsize, so setting "size": 0 while stuffing arbitrarily large content into the corresponding files/<id> zip entry bypassed the limit and could fill server disk.

This PR fixes the immediate bypass at the import layer and adds defense in depth at the file creation boundary so future callers cannot reintroduce the same class of bug.

Reference: GHSA-qh78-rvg3-cv54

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/go-vikunja/vikunja/pull/2575 **Author:** [@tink-bot](https://github.com/tink-bot) **Created:** 4/9/2026 **Status:** ✅ Merged **Merged:** 4/9/2026 **Merged by:** [@kolaente](https://github.com/kolaente) **Base:** `main` ← **Head:** `fix-import-file-size-bypass` --- ### 📝 Commits (6) - [`30bf9f5`](https://github.com/go-vikunja/vikunja/commit/30bf9f5eaf727e257cd1733e8521fc1a1847681e) fix(files): derive file size from reader at creation boundary - [`3d0c343`](https://github.com/go-vikunja/vikunja/commit/3d0c3432098552a916e7edc338ce596f8fd91236) refactor(files): derive attachment size from content in sibling callers - [`42f93dd`](https://github.com/go-vikunja/vikunja/commit/42f93dddd8ca10cd6e1be74eaab4b2c5eec4001a) fix(migration): compute attachment size from content during import - [`3f47e2c`](https://github.com/go-vikunja/vikunja/commit/3f47e2c4fb3f20eed78b11aa8dd003a638192cff) fix(migration): bound per-entry zip cap by configured files.maxsize - [`d754c1a`](https://github.com/go-vikunja/vikunja/commit/d754c1af10368e27ef6cd4c68cda2c38a6782d8d) test(migration): regression test for forged attachment size - [`d5dd913`](https://github.com/go-vikunja/vikunja/commit/d5dd913fdc02358fbba0b6ec7e4d6ce4c0dcc184) test(todoist): serve attachment from local test server ### 📊 Changes **10 files changed** (+244 additions, -25 deletions) <details> <summary>View changed files</summary> 📝 `pkg/files/files.go` (+48 -3) 📝 `pkg/files/files_test.go` (+54 -3) 📝 `pkg/models/project_duplicate.go` (+1 -1) 📝 `pkg/models/task_attachment_test.go` (+3 -2) 📝 `pkg/models/task_duplicate.go` (+1 -1) 📝 `pkg/modules/migration/create_from_structure.go` (+6 -2) 📝 `pkg/modules/migration/todoist/todoist.go` (+1 -1) 📝 `pkg/modules/migration/todoist/todoist_test.go` (+21 -4) 📝 `pkg/modules/migration/vikunja-file/vikunja.go` (+36 -8) 📝 `pkg/modules/migration/vikunja-file/vikunja_test.go` (+73 -0) </details> ### 📄 Description The Vikunja file import endpoint trusted the attacker-supplied `Size` field from the JSON metadata inside the import zip when enforcing `files.maxsize`, so setting `"size": 0` while stuffing arbitrarily large content into the corresponding `files/<id>` zip entry bypassed the limit and could fill server disk. This PR fixes the immediate bypass at the import layer and adds defense in depth at the file creation boundary so future callers cannot reintroduce the same class of bug. Reference: GHSA-qh78-rvg3-cv54 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-16 13:50:54 -05:00

GiteaMirror closed this issue

2026-04-16 13:50:56 -05:00

Sign in to join this conversation.

Branches Tags

main

renovate/dev-dependencies

fix-list-sort-resets

claude/analyze-beans-project-9VxoS

feat-huma-api-v2-migration

feat-v2-foundation

spike-huma-openapi3

claude/investigate-swagger3-support-nyyUa

feat-list-view-buckets

ci-mysql-8-test

codex/analyze-codebase-for-email-task-feature

feat-project-templates

csv-import-feature

claude/email-reply-comments-wpdcQ

fix-oidc-pkce-support

fix/overview-subtasks-expand

feat/bucket-select-task-detail

feat-soft-delete-projects

claude/review-bot-design-plan-cf5C3

claude/project-scoped-api-tokens-KTqR3

claude/explore-openclaw-integration-KQEzg

claude/project-scoped-api-tokens-yv5KS

fix-duplicate-close-button

feat-list-view-sorting

feat/official-vite-sentry-plugin

feat/highlight-overdue-tasks

feat/add-enter-key-form-submission-handling

feat/TipTap-nits

feat/update-caldavtimetotimestamp-parsing

feat-phosphor-icons

wip-plans

claude/investigate-issue-2173-llKme

fix-description-text-drag

feat-custom-keyboard-shortcuts

pr-1845-ci

codex/fix-drag-and-drop-behavior-inconsistency

copilot/add-clickable-labels-for-filtering

copilot/fix-issue-1786

playwright-migration

fix-kanban-repeating-wip

copilot/fix-1498

feature/replace-axios

codex/upgrade-to-tailwind-4.1.8-using-pnpm

codex/add-cypress-test-for-avatar-types

feature/biome

feature/oxc

codex/update-flexsearch-to-0.8.205

4r6ni9-codex/fix-deprecated-sass-@import-usage

codex/fix-deprecated-sass-@import-usage

codex/add-cypress-test-for-task-list-refresh-fix

codex/fix-quick-add-magic-not-adding-tasks

codex/fix-all-type-errors

codex/fix-mimetype-for-docs.json

feature/caldav-from-scratch

feature/gh-actions-hetzner

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

fix/deprecated-import

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

dependencies/golangci-lint

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vikunja#5742