From a89816affbd46b0413a949c36456cce0e4131979 Mon Sep 17 00:00:00 2001
From: anshul23102 <anshul23102@iiitd.ac.in>
Date: Sun, 31 May 2026 23:30:44 +0530
Subject: [PATCH] fix(server): reduce express.json body limit from 50 mb to 512
 kb [NSoC'26]

A 50 MB body limit allowed a single HTTP request to force the server to
allocate and parse 50 MB of JSON before any route handler ran. Combined
with the existing 100 req / 15 min rate limit, an attacker could push up
to 5 GB of data per IP per window, exhausting server heap memory.

Legitimate payloads for this API (task objects, chat messages, analytics)
are at most a few kilobytes. 512 KB is more than sufficient for any real
request and eliminates the memory-exhaustion vector.

Closes #137
---
 backend/server.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/backend/server.js b/backend/server.js
index 4e7e3ee..eaae5ce 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -30,8 +30,12 @@ const reactionsStore = {};
 
 app.use(cors());
 app.use(apiLimiter);
-app.use(express.json({ limit: "50mb" }));
-app.use(express.urlencoded({ limit: "50mb", extended: true }));
+// Tight body-size limit. Legitimate payloads for this API (task objects,
+// chat messages) are a few kilobytes at most. 50 mb allowed a single
+// request to force the server to allocate and parse 50 MB of JSON before
+// any route handler ran, enabling memory exhaustion with very few requests.
+app.use(express.json({ limit: "512kb" }));
+app.use(express.urlencoded({ limit: "512kb", extended: true }));
 
 app.get("/", (req, res) => {
   res.send("FlowForge Backend Running 🚀");