[MEDIUM] Public-facing file upload endpoints have no size limits #27

New issue

Open

opened 2026-05-05 15:44:48 -05:00 by pjennings · 0 comments

pjennings commented 2026-05-05 15:44:48 -05:00

Owner

Copy link

Labels: area:security, area:network, priority:medium, type:enhancement

Description

In hosts/rp1.nix, multiple public-facing services have client_max_body_size 0 (unlimited):

• photos.reinitialized.me (Immich)
• docs.reinitialized.me (Paperless-ngx)
• cloud.reinitialized.net (ownCloud OCIS)

Impact

Denial of service through extremely large uploads consuming disk space and bandwidth. An attacker could fill the data disk, causing service outages.

Recommended Fix

Set reasonable upload limits:

• photos.reinitialized.me: 50GB (large photo/video uploads)
• docs.reinitialized.me: 5GB (document uploads)
• cloud.reinitialized.net: 10GB (cloud storage)
  Keep proxy_request_buffering off for performance.

**Labels:** area:security, area:network, priority:medium, type:enhancement ## Description In hosts/rp1.nix, multiple public-facing services have client_max_body_size 0 (unlimited): - photos.reinitialized.me (Immich) - docs.reinitialized.me (Paperless-ngx) - cloud.reinitialized.net (ownCloud OCIS) ## Impact Denial of service through extremely large uploads consuming disk space and bandwidth. An attacker could fill the data disk, causing service outages. ## Recommended Fix Set reasonable upload limits: - photos.reinitialized.me: 50GB (large photo/video uploads) - docs.reinitialized.me: 5GB (document uploads) - cloud.reinitialized.net: 10GB (cloud storage) Keep proxy_request_buffering off for performance.

pjennings added this to the Security: Medium and Low Findings milestone 2026-05-06 16:48:03 -05:00

pjennings added the

area:security

priority:medium

type:bug

labels 2026-05-06 16:49:27 -05:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

indev

No results found.

Labels

Clear labels   

area:documentation

Documentation, inventory, runbooks

  

area:infrastructure

Infrastructure services and hardware

  

area:network

Network, firewall, and connectivity

  

area:security

Security vulnerabilities and findings

  

priority:critical

Fix immediately — active risk

  

priority:high

Fix within 1-2 weeks

  

priority:low

Backlog — hardening and best practices

  

priority:medium

Fix within 1 month

  

status:blocked

Blocked on dependency or decision

  

type:bug

Misconfiguration or broken behavior

  

type:deployment

New service or system deployment

  

type:enhancement

Improvement or hardening

  

type:investigation

Needs research or identification

No labels

area:documentation

area:infrastructure

area:network

area:security

priority:critical

priority:high

priority:low

priority:medium

status:blocked

type:bug

type:deployment

type:enhancement

type:investigation

Milestone

Clear milestone

No items

No milestone

Security: Medium and Low Findings

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

reinitialized.net/infrastructure#27

No description provided.