Problem
Flask's MAX_CONTENT_LENGTH is not configured on the app. The /api/upload endpoint will accept arbitrarily large file uploads, limited only by container disk and memory. An authenticated user (or accidental large paste) could exhaust resources.
Location
app.py — missing app.config['MAX_CONTENT_LENGTH'] after app initialization.
Recommended Fix
Set MAX_CONTENT_LENGTH to 32 MB (slightly above Claude Code's documented 30 MB per-file limit to allow overhead):
app = Flask(__name__, static_folder="static")
app.config['MAX_CONTENT_LENGTH'] = 32 * 1024 * 1024 # 32 MB — matches Claude Code's 30 MB file limit
This aligns with Claude Code's own file upload limit of 30 MB per file. Flask will automatically return a 413 Request Entity Too Large response for uploads exceeding this limit before reading the full body into memory.
No changes needed on the client side — the existing upload UI already handles error responses.
Severity
Medium — allows disk/memory exhaustion by an authenticated user. Mitigated by Databricks Apps' single-owner model (only the app owner can upload).
Found during security assessment v2 (2026-03-24).
Problem
Flask's
MAX_CONTENT_LENGTHis not configured on the app. The/api/uploadendpoint will accept arbitrarily large file uploads, limited only by container disk and memory. An authenticated user (or accidental large paste) could exhaust resources.Location
app.py— missingapp.config['MAX_CONTENT_LENGTH']after app initialization.Recommended Fix
Set
MAX_CONTENT_LENGTHto 32 MB (slightly above Claude Code's documented 30 MB per-file limit to allow overhead):This aligns with Claude Code's own file upload limit of 30 MB per file. Flask will automatically return a 413 Request Entity Too Large response for uploads exceeding this limit before reading the full body into memory.
No changes needed on the client side — the existing upload UI already handles error responses.
Severity
Medium — allows disk/memory exhaustion by an authenticated user. Mitigated by Databricks Apps' single-owner model (only the app owner can upload).
Found during security assessment v2 (2026-03-24).