diff --git a/backend/src/__tests__/errorHandling.test.ts b/backend/src/__tests__/errorHandling.test.ts index 991fde07..ca0dffb7 100644 --- a/backend/src/__tests__/errorHandling.test.ts +++ b/backend/src/__tests__/errorHandling.test.ts @@ -75,6 +75,25 @@ describe('Centralized Error Handling', () => { }); }); + describe('Request Payload Size Limit', () => { + it('should return 413 when payload exceeds the configured limit', async () => { + // Create a payload larger than 100kb + const largePayload = { + data: 'x'.repeat(1024 * 150), // 150kb string + }; + + const response = await request(app) + .post('/api/simulate') + .set('Authorization', authHeader) + .send(largePayload); + + expect(response.status).toBe(413); + expect(response.body.success).toBe(false); + expect(response.body.error.code).toBe('VALIDATION_ERROR'); + expect(response.body.error.message).toMatch(/payload too large/i); + }); + }); + /* ── Consistent JSON structure ────────────────────────────── */ describe('Response structure consistency', () => { diff --git a/backend/src/app.ts b/backend/src/app.ts index 141faa31..e8259f85 100644 --- a/backend/src/app.ts +++ b/backend/src/app.ts @@ -110,7 +110,8 @@ const corsOptions: cors.CorsOptions = { app.use(cors(corsOptions)); app.use(compression()); -app.use(express.json()); +// Explicit request body size limit set to 100kb to mitigate payload-based DoS and unbounded audit log writes. +app.use(express.json({ limit: '100kb' })); app.use(globalRateLimiter); app.use(requestIdMiddleware); app.use(requestLogger); diff --git a/backend/src/middleware/errorHandler.ts b/backend/src/middleware/errorHandler.ts index 496c2ee2..f15f85fe 100644 --- a/backend/src/middleware/errorHandler.ts +++ b/backend/src/middleware/errorHandler.ts @@ -94,6 +94,19 @@ export const errorHandler = ( return; } + // ── Payload Too Large (body-parser) ──────────────────────── + if ('type' in err && (err as { type?: string }).type === 'entity.too.large') { + res.status(413).json({ + success: false, + message: 'Request payload too large', + error: { + code: ErrorCode.VALIDATION_ERROR, // Or a dedicated code if defined + message: 'Request payload too large', + }, + }); + return; + } + // ── Unexpected / Programming Errors ────────────────────────── logger.error('Unhandled error', { requestId: req.requestId,