fix: Cloud Function multipart requests bypass the maxUploadSize limit

[mtrezza]

Issue

Cloud Function multipart/form-data requests are not bounded by the maxUploadSize limit

Tasks

• Add new feature
• Add breaking change
• Fix a bug
• Improve existing feature
• Improve code quality
• Improve test suite
• Improve documentation

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

[coderabbitai]

PR changed again? Review this PR in Change Stack to compare snapshots and stay oriented.

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 213cea75-df7b-43c3-a14e-c71522b5fba4

📥 Commits

Reviewing files that changed from the base of the PR and between b5a72c9 and 3eda7af.

📒 Files selected for processing (1)

• src/Routers/FunctionsRouter.js

💤 Files with no reviewable changes (1)

• src/Routers/FunctionsRouter.js

---

📝 Walkthrough

Walkthrough

The PR adds size enforcement to multipart upload handling in FunctionsRouter. The middleware now validates declared content-length upfront, tracks accumulated raw bytes during request ingestion, and safely rejects oversized payloads with OBJECT_TOO_LARGE. Tests verify both the header-level and stream-level rejection paths.

Changes

Multipart Upload Size Enforcement

Layer / File(s)	Summary
Size enforcement implementation src/Routers/FunctionsRouter.js	Early content-length check rejects oversized declarations before busboy parsing begins (lines 204–213). Raw-byte tracking via req.on('data') listener counts incoming chunks and rejects once the total exceeds maxUploadSize (lines 294–310). SafeReject handler is hardened with a settled guard and unpipes from busboy before cleanup to ensure only one rejection fires (lines 226–231).
Size enforcement test coverage spec/CloudCodeMultipart.spec.js	Two Jest test cases verify enforcement: first test reconfigures maxUploadSize: '1kb', constructs a multipart body with 2000 empty fields to exceed the limit, and asserts Parse.Error.OBJECT_TOO_LARGE (lines 366–395). Second test uses the same payload but sets an explicit Content-Length header and verifies early rejection (lines 397–423).

Possibly related PRs

• parse-community/parse-server#10395: Introduces the busboy-based multipart parsing in FunctionsRouter that this PR extends with maxUploadSize enforcement.

---

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided by the author, missing all required template sections including Issue, Approach, and Tasks.	Add a complete PR description following the template with sections for Issue, Approach, and completion status of required tasks like tests and documentation.
Engage In Review Feedback	❓ Inconclusive	Cannot verify PR review feedback engagement because GitHub review comments are not accessible via repository analysis alone; PR is newly created (2026-06-05) and may not have review comments yet.	Access the actual PR #10498 on GitHub to check for review comments and verify user engagement with any feedback provided by reviewers.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly describes the main issue being fixed: multipart requests bypassing the maxUploadSize limit, and it follows the required 'fix:' prefix format.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	Securely fixes multipart upload size bypass by validating Content-Length, tracking raw bytes, proper cleanup with settled flags, and preventing prototype pollution via Object.create(null).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

spec/CloudCodeMultipart.spec.js (1)

397-423: 🏗️ Heavy lift

This spec does not actually pin the Content-Length fast path.

Lines 411-420 send the same already-oversized multipart body as the wire-size test, so this still passes via src/Routers/FunctionsRouter.js Lines 294-313 even if the new header preflight on Lines 204-213 regresses. If this PR is meant to lock down both checkpoints, this needs a test that can fail before the body is streamed, or a smaller unit-testable seam around the header validation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@spec/CloudCodeMultipart.spec.js` around lines 397 - 423, The test currently
uses a truly oversized body so it can pass via the body-stream check in
FunctionsRouter (wire-size path around the 294-313 logic) and does not verify
the new header-only preflight (header check around 204-213); change the spec to
send a small multipart body (use buildMultipartBody and postMultipart) but set
the Content-Length header to a value larger than the configured maxUploadSize
(reconfigureServer({ maxUploadSize: '1kb' })) so the request will be rejected at
header preflight, or alternatively add a unit test that directly calls the
header-validation function in FunctionsRouter (the header preflight path) with
an oversized Content-Length to assert OBJECT_TOO_LARGE is returned before
streaming.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@spec/CloudCodeMultipart.spec.js`:
- Around line 397-423: The test currently uses a truly oversized body so it can
pass via the body-stream check in FunctionsRouter (wire-size path around the
294-313 logic) and does not verify the new header-only preflight (header check
around 204-213); change the spec to send a small multipart body (use
buildMultipartBody and postMultipart) but set the Content-Length header to a
value larger than the configured maxUploadSize (reconfigureServer({
maxUploadSize: '1kb' })) so the request will be rejected at header preflight, or
alternatively add a unit test that directly calls the header-validation function
in FunctionsRouter (the header preflight path) with an oversized Content-Length
to assert OBJECT_TOO_LARGE is returned before streaming.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4e29e5eb-80b6-4121-8a43-04047462ade7

📥 Commits

Reviewing files that changed from the base of the PR and between 78859a9 and b5a72c9.

📒 Files selected for processing (2)

• spec/CloudCodeMultipart.spec.js
• src/Routers/FunctionsRouter.js

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.59%. Comparing base (78859a9) to head (3eda7af).

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10498      +/-   ##
==========================================
- Coverage   92.60%   92.59%   -0.01%     
==========================================
  Files         193      193              
  Lines       16919    16928       +9     
  Branches      234      234              
==========================================
+ Hits        15667    15674       +7     
- Misses       1229     1231       +2     
  Partials       23       23              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.9.1-alpha.7