fix(api): make body-size caps NaN-safe and raise chat input/attachment limits

waleedlatif1 · waleedlatif1 · commit cb0beb3db36b · 2026-06-10T10:14:59.000-07:00
- DEFAULT_MAX_JSON_BODY_BYTES and CHAT_MAX_REQUEST_BYTES now fall back to
  hardcoded defaults (50 MB / 220 MB) when the env value is missing or
  non-numeric, so a misconfig can't silently produce a NaN cap that never
  rejects.
- Raise CHAT_MAX_REQUEST_BYTES default to 220 MB to cover 15 base64 file
  attachments, and MAX_CHAT_INPUT_CHARS to 1,000,000.
- Minor: tidy use-inline-rename onSave type; drop two redundant test comments.
diff --git a/apps/sim/app/api/chat/[identifier]/route.ts b/apps/sim/app/api/chat/[identifier]/route.ts
@@ -42,7 +42,7 @@ function toChatConfigResponse(deployment: ChatConfigSource) {
 export const dynamic = 'force-dynamic'
 export const runtime = 'nodejs'
 
-const CHAT_MAX_REQUEST_BYTES = Number.parseInt(env.CHAT_MAX_REQUEST_BYTES, 10)
+const CHAT_MAX_REQUEST_BYTES = Number.parseInt(env.CHAT_MAX_REQUEST_BYTES, 10) || 220 * 1024 * 1024
 
 export const POST = withRouteHandler(
   async (request: NextRequest, context: { params: Promise<{ identifier: string }> }) => {
diff --git a/apps/sim/app/api/files/authorization.test.ts b/apps/sim/app/api/files/authorization.test.ts
@@ -177,7 +177,6 @@ describe('public-context access (profile-pictures / og-images / workspace-logos)
   })
 
   it('denies a cross-tenant delete that names a workspace key under a public context', async () => {
-    // Reported attack: a workspace key passed under a public context to dodge the ownership check.
     await expect(write('workspace/victim-ws/123-report.pdf', 'og-images')).resolves.toBe(false)
     expect(mockGetUserEntityPermissions).not.toHaveBeenCalled()
   })
diff --git a/apps/sim/app/api/files/delete/route.test.ts b/apps/sim/app/api/files/delete/route.test.ts
@@ -200,7 +200,6 @@ describe('File Delete API Route', () => {
   })
 
   it('rejects a client context that disagrees with the key prefix', async () => {
-    // Reported attack: a workspace key passed under a public context to dodge the ownership check.
     const req = createMockRequest('POST', {
       filePath: '/api/files/serve/s3/workspace/victim-ws/1234-report.pdf',
       context: 'og-images',
diff --git a/apps/sim/hooks/use-inline-rename.ts b/apps/sim/hooks/use-inline-rename.ts
@@ -9,7 +9,7 @@ interface UseInlineRenameProps {
    * `mutateAsync(...)`) — NOT a fire-and-forget `mutate(...)` — so `isSaving`
    * spans the in-flight request and a rejection can revive the edit session.
    */
-  onSave: (id: string, newName: string) => void | Promise<unknown>
+  onSave: (id: string, newName: string) => undefined | Promise<unknown>
 }
 
 /**
diff --git a/apps/sim/lib/api/contracts/chats.ts b/apps/sim/lib/api/contracts/chats.ts
@@ -110,7 +110,7 @@ export const deployedChatAuthBodySchema = z.object({
 })
 export type DeployedChatAuthBody = z.input<typeof deployedChatAuthBodySchema>
 
-const MAX_CHAT_INPUT_CHARS = 100_000
+const MAX_CHAT_INPUT_CHARS = 1_000_000
 const MAX_CHAT_FILE_DATA_CHARS = 14 * 1024 * 1024
 const MAX_CHAT_FILES = 15
 
diff --git a/apps/sim/lib/api/server/validation.ts b/apps/sim/lib/api/server/validation.ts
@@ -20,8 +20,11 @@ import {
  * and parse into memory. Next.js App Router imposes no body cap, so without
  * this an unauthenticated caller could buffer an arbitrarily large body before
  * schema validation runs. Override per-route via `ParseRequestOptions.maxBodyBytes`.
+ * Falls back to 50 MB if the env value is missing or non-numeric so a misconfig
+ * can never silently disable the cap (a NaN limit would never reject).
  */
-export const DEFAULT_MAX_JSON_BODY_BYTES = Number.parseInt(env.API_MAX_JSON_BODY_BYTES, 10)
+export const DEFAULT_MAX_JSON_BODY_BYTES =
+  Number.parseInt(env.API_MAX_JSON_BODY_BYTES, 10) || 50 * 1024 * 1024
 
 export interface ValidationErrorBody {
   error: string
diff --git a/apps/sim/lib/core/config/env.ts b/apps/sim/lib/core/config/env.ts
@@ -244,7 +244,7 @@ export const env = createEnv({
     // Admission & Burst Protection
     ADMISSION_GATE_MAX_INFLIGHT:           z.string().optional().default('500'),   // Max concurrent in-flight execution requests per pod
     API_MAX_JSON_BODY_BYTES:               z.string().optional().default('52428800'),// Default max JSON request body size for contract routes (50 MB)
-    CHAT_MAX_REQUEST_BYTES:                z.string().optional().default('20971520'),// Max request body size for the public deployed-chat endpoint (20 MB)
+    CHAT_MAX_REQUEST_BYTES:                z.string().optional().default('230686720'),// Max request body size for the public deployed-chat endpoint (220 MB; covers 15 base64 file attachments)
 
     // Rate Limiting Configuration
     RATE_LIMIT_WINDOW_MS:                  z.string().optional().default('60000'), // Rate limit window duration in milliseconds (default: 1 minute)

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ interface UseInlineRenameProps {`
`9`	`9`	* `mutateAsync(...)`) — NOT a fire-and-forget `mutate(...)` — so `isSaving`
`10`	`10`	`* spans the in-flight request and a rejection can revive the edit session.`
`11`	`11`	`*/`
`12`		`- onSave: (id: string, newName: string) => void \| Promise<unknown>`
	`12`	`+ onSave: (id: string, newName: string) => undefined \| Promise<unknown>`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`/**`