Summary
No endpoint in web/app.py enforces maximum length or type constraints on user-supplied fields (username, password, message). A client can send a multi-megabyte string for any field, causing bcrypt to hang (bcrypt silently truncates at 72 bytes but still iterates its work factor), MongoDB documents to bloat, or memory pressure on the Flask worker. None of this is caught before processing.
Background
Input size validation is a basic resilience control (OWASP Input Validation Cheat Sheet). For password specifically, passing an extremely long string to bcrypt.hashpw before the 72-byte truncation can cause noticeable CPU spikes. For message, there is no guard preventing a single user from storing arbitrarily large documents in MongoDB.
Affected Areas
web/app.py — Register.post() lines 88-91, Login.post() lines 112-115, Save.post() lines 145-147
Recommended Fix
Define constants and a validation helper:
MAX_USERNAME_LEN = 64
MAX_PASSWORD_LEN = 128
MAX_MESSAGE_LEN = 1024
def _require_string(value, max_len: int, field: str):
if not isinstance(value, str):
return f"{field} must be a string"
if len(value) > max_len:
return f"{field} exceeds maximum length of {max_len}"
return NoneCall _require_string immediately after extracting each field and return HTTP 400 with a descriptive message on failure. Document the limits in the README.
Acceptance Criteria
Complexity Estimate
S — small helper function, a handful of call sites, and test cases; under a half-day of work.
Priority
Medium — not a showstopper but teaches learners a foundational validation pattern and removes a real DoS vector.
Auto-identified by workspace issue-logger
Category: error handling / resilience
Complexity: S
Repository: DewaldOosthuizen/python_rest_tutorial
Summary
No endpoint in
web/app.pyenforces maximum length or type constraints on user-supplied fields (username,password,message). A client can send a multi-megabyte string for any field, causing bcrypt to hang (bcrypt silently truncates at 72 bytes but still iterates its work factor), MongoDB documents to bloat, or memory pressure on the Flask worker. None of this is caught before processing.Background
Input size validation is a basic resilience control (OWASP Input Validation Cheat Sheet). For
passwordspecifically, passing an extremely long string tobcrypt.hashpwbefore the 72-byte truncation can cause noticeable CPU spikes. Formessage, there is no guard preventing a single user from storing arbitrarily large documents in MongoDB.Affected Areas
web/app.py—Register.post()lines 88-91,Login.post()lines 112-115,Save.post()lines 145-147Recommended Fix
Define constants and a validation helper:
Call
_require_stringimmediately after extracting each field and return HTTP 400 with a descriptive message on failure. Document the limits in the README.Acceptance Criteria
usernamecapped at 64 chars in Register and Loginpasswordcapped at 128 chars in Register and Loginmessagecapped at 1024 chars in SaveComplexity Estimate
S — small helper function, a handful of call sites, and test cases; under a half-day of work.
Priority
Medium — not a showstopper but teaches learners a foundational validation pattern and removes a real DoS vector.
Auto-identified by workspace issue-logger
Category: error handling / resilience
Complexity: S
Repository: DewaldOosthuizen/python_rest_tutorial