GHSA-8rwr-f68v-cvw6
NocoDB: Attachment Size Limit Bypass via Upload-by-URL
상세
### Summary The upload-by-URL path did not enforce `NC_ATTACHMENT_FIELD_SIZE` against either the remote file's advertised `Content-Length` or the decoded length of a `data:` URI, allowing an authenticated user to bypass the configured per-file size limit.
### Details The attachments service now checks `NC_ATTACHMENT_FIELD_SIZE` against both the HEAD response's `content-length` and the decoded length of a `data:` URI body before fetching. The local storage plugin additionally sets `maxContentLength` on the axios download so a malicious server cannot stream past the limit.
### Impact Authenticated users with upload permission could attach files larger than the operator-configured limit, defeating storage and bandwidth caps.
### Credit This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research).
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 No fixed version published yet for nocodb (npm). Pin to a known-safe version or switch to an alternative.