python.fastapi.request_body_unbounded

Stability High

Detects FastAPI endpoints without request body size limits.

Why It Matters

Unbounded request bodies:

• Memory exhaustion — Large uploads crash server
• DoS attacks — Attackers send huge payloads
• Resource starvation — One request consumes all memory

Example

# ❌ Before (unbounded)
@app.post("/upload")
async def upload(file: UploadFile):
    content = await file.read()  # No size limit!
    return {"size": len(content)}

# ✅ After (with size limit)
from fastapi import HTTPException

MAX_SIZE = 10 * 1024 * 1024  # 10MB

@app.post("/upload")
async def upload(file: UploadFile):
    content = await file.read(MAX_SIZE + 1)
    if len(content) > MAX_SIZE:
        raise HTTPException(413, "File too large")
    return {"size": len(content)}

What Unfault Detects

• UploadFile.read() without size limits
• Request.body() without limits
• Missing content-length validation

Related Rules

• python.large_response_memory