NocoDB: Attachment Size Limit Bypass via Upload-by-URL

Summary

The upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit.

Details

The attachments service now checks NC_ATTACHMENT_FIELD_SIZE against both the HEAD response's content-length and the decoded length of a data: URI body before fetching. The local storage plugin additionally sets maxContentLength on the axios download so a malicious server cannot stream past the limit.

Impact

Authenticated users with upload permission could attach files larger than the operator-configured limit, defeating storage and bandwidth caps.

Credit

This issue was reported by @bugbunny-research.