indifferentketchup/boocode
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.11.8: address review — inject fetcher, byte-count limit, redirect TODO

Browse Source
This commit is contained in:
indifferentketchup
2026-05-20 21:40:11 +00:00
parent 2fdbb05477
commit 4e67a265ac
3 changed files with 58 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
apps/server/src/services/web_fetch.ts
View File

@@ -86,6 +86,8 @@ export async function executeWebFetch(
try {
const res = await fetcher(input.url, {
signal: controller.signal,
// TODO(v1.11.9): redirect: 'manual' + re-run isPublicUrl on Location header.
// Current 'follow' allows redirect-to-private-IP bypass of URL guard.
redirect: 'follow',
headers: { 'User-Agent': 'BooCode/1.11.8', Accept: 'text/html,text/plain,application/json,*/*' },
});
@@ -107,8 +109,13 @@ export async function executeWebFetch(
// about length AND streams gigabytes would defeat that; for v1.11.8
// the 15s timeout is the secondary fence.
const body = await res.text();
if (body.length > MAX_BYTES) {
return { error: 'response_too_large', reason: `body ${body.length} > ${MAX_BYTES}` };
// v1.11.8 review: byte-count, not char-count. A 5MB cap on
// body.length (UTF-16 code units) lets a multi-byte payload (emoji,
// CJK) pass when its wire size already exceeded MAX_BYTES. Compute
// once and reuse for the error message.
const bodyBytes = Buffer.byteLength(body, 'utf8');
if (bodyBytes > MAX_BYTES) {
return { error: 'response_too_large', reason: `body ${bodyBytes} bytes > ${MAX_BYTES}` };
}
let textRaw: string;