Skip to content

Add configurable payload size limit for Express server#13

Open
lutzleonhardt wants to merge 2 commits intomasterfrom
brokk/issue-4-wsx4w5
Open

Add configurable payload size limit for Express server#13
lutzleonhardt wants to merge 2 commits intomasterfrom
brokk/issue-4-wsx4w5

Conversation

@lutzleonhardt
Copy link
Owner

@lutzleonhardt lutzleonhardt commented Feb 12, 2026

User description

This pull request introduces a configurable payload size limit for the Copilot Proxy server to handle larger requests.

Key changes include:

  • Configuration Support: Added a new copilotProxy.payloadLimit setting in package.json (defaulting to '50mb') allowing users to customize the maximum request size.
  • Server Integration: The Express server now retrieves this limit from the extension configuration via environment variables.
  • Middleware Update: Updated the express.json middleware in src/server.ts to enforce the specified limit, preventing "Payload Too Large" errors during heavy data transfers.
  • Improved Feedback: The server start notification now explicitly mentions the active payload limit.

Note: There was a slight merge conflict artifact in the provided diff for src/server.ts which should be cleaned up during integration.

Fixes #4


PR Type

Enhancement


Description

  • Add configurable payload size limit for Express server

  • Retrieve payload limit from VS Code configuration settings

  • Update express.json middleware to enforce payload limit

  • Enhance server start notification with payload limit info

  • Add morgan logger middleware for request logging


Diagram Walkthrough

flowchart LR
  config["VS Code Configuration<br/>copilotProxy.payloadLimit"]
  ext["extension.ts<br/>Read config & set env var"]
  server["server.ts<br/>Apply limit to express.json"]
  response["Express Server<br/>Enforces payload limit"]
  config -- "payloadLimit setting" --> ext
  ext -- "PAYLOAD_LIMIT env var" --> server
  server -- "limit parameter" --> response
Loading

File Walkthrough

Relevant files
Enhancement
extension.ts
Configure and pass payload limit to server                             

src/extension.ts

  • Refactored configuration retrieval to use single config object
  • Added retrieval of payloadLimit setting from configuration
  • Set PAYLOAD_LIMIT environment variable for server consumption
  • Updated server start notification to display active payload limit
+5/-2     
server.ts
Apply payload limit and add request logging                           

src/server.ts

  • Added morgan logger middleware for HTTP request logging
  • Updated express.json middleware to accept configurable limit parameter
  • Retrieve payload limit from environment variable with 50mb default
  • Note: Diff contains merge conflict markers that need cleanup
+11/-2   
Configuration changes
package.json
Add payload limit configuration property                                 

package.json

  • Added new copilotProxy.payloadLimit configuration property
  • Set default value to '50mb' for maximum payload size
  • Provided description for users on payload limit usage
  • Added comma separator after existing port configuration
+5/-0     

@qodo-code-review
Copy link

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
Denial of service

Description: Increasing the JSON body size limit to a large, user-configurable value (via
process.env.PAYLOAD_LIMIT) can enable denial-of-service through very large request bodies
consuming memory/CPU during parsing.
server.ts [17-21]

Referred Code
const payloadLimit = process.env.PAYLOAD_LIMIT || '50mb';
app.use(express.json({ limit: payloadLimit }));

// Logger middleware
app.use(morgan('combined'));
Ticket Compliance
🟡
🎫 #4
🟢 Make the request payload/body limit configurable (so users can adjust without code
changes).
🔴 Ensure the server actually applies the configured payload limit when parsing JSON
requests.
Remove/raise the Express JSON body parsing limit that triggers PayloadTooLargeError for
requests that should be accepted.
Codebase Duplication Compliance
Codebase context is not defined

Follow the guide to enable codebase context checks.

Custom Compliance
🟢
Generic: Meaningful Naming and Self-Documenting Code

Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Error Handling

Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

🔴
Generic: Robust Error Handling and Edge Case Management

Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation

Status:
Broken code artifact: The new src/server.ts hunk contains merge-conflict markers (=======) which will break
execution instead of degrading gracefully or providing actionable error context.

Referred Code
=======
const payloadLimit = process.env.PAYLOAD_LIMIT || '50mb';
app.use(express.json({ limit: payloadLimit }));

// Logger middleware
app.use(morgan('combined'));
=======

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Logging Practices

Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.

Status:
Unstructured request logs: The added morgan('combined') logging is unstructured and may log sensitive data
present in URLs/query strings or headers, violating the requirement for structured logs
without sensitive content.

Referred Code
app.use(morgan('combined'));
=======
const payloadLimit = process.env.PAYLOAD_LIMIT || '50mb';
app.use(express.json({ limit: payloadLimit }));

// Logger middleware
app.use(morgan('combined'));

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Security-First Input Validation and Data Handling

Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities

Status:
Unvalidated limit input: The new configuration-driven payloadLimit is passed through process.env.PAYLOAD_LIMIT
without validation/sanitization, enabling unsafe/boundary values that could cause DoS via
oversized payloads or misconfiguration.

Referred Code
const config = vscode.workspace.getConfiguration("copilotProxy");
const configPort = config.get("port", 3000);
const payloadLimit = config.get("payloadLimit", "50mb");
process.env.PAYLOAD_LIMIT = payloadLimit;
serverInstance = startServer(configPort);
vscode.window.showInformationMessage(`Express server started on port ${configPort} with ${payloadLimit} payload limit.`);

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Comprehensive Audit Trails

Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.

Status:
Missing user context: The newly added request logging via morgan('combined') does not include user
identity/context or explicit outcomes, so it may be insufficient for reconstructing
critical actions depending on what this server handles.

Referred Code
app.use(morgan('combined'));
=======
const payloadLimit = process.env.PAYLOAD_LIMIT || '50mb';
app.use(express.json({ limit: payloadLimit }));

// Logger middleware
app.use(morgan('combined'));
=======

// Logger middleware
app.use(morgan('combined'));

Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend 🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

@qodo-code-review
Copy link

qodo-code-review bot commented Feb 12, 2026

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Impact
Possible issue
Clean up conflict markers and duplicate middleware

Remove merge conflict markers and duplicate logger middleware from
src/server.ts.

src/server.ts [12-22]

 // Middleware to parse JSON bodies with configurable limit
-
-// Logger middleware
-app.use(morgan('combined'));
-=======
 const payloadLimit = process.env.PAYLOAD_LIMIT || '50mb';
 app.use(express.json({ limit: payloadLimit }));
 
 // Logger middleware
 app.use(morgan('combined'));
-=======

[Suggestion processed]

Suggestion importance[1-10]: 10

__

Why: This suggestion correctly identifies critical merge conflict markers (=======) and duplicated middleware in src/server.ts, which would prevent the application from running.

High
General
Pass payload limit as parameter

Pass payloadLimit as a direct parameter to the startServer function instead of
using an environment variable.

src/extension.ts [51-52]

-process.env.PAYLOAD_LIMIT = payloadLimit;
-serverInstance = startServer(configPort);
+serverInstance = startServer(configPort, payloadLimit);
  • Apply / Chat
Suggestion importance[1-10]: 6

__

Why: The suggestion proposes passing the payloadLimit as a parameter instead of using an environment variable, which improves code clarity and testability by making dependencies explicit.

Low
Possible issue
Apply limit at server start

Move the Express app initialization and express.json() middleware setup into the
startServer function to ensure the payloadLimit is applied at runtime, not at
module import time.

src/server.ts [10-22]

-const app = express();
+export function startServer(port: number) {
+  const app = express();
 
-// Middleware to parse JSON bodies with configurable limit
+  const payloadLimit = process.env.PAYLOAD_LIMIT || '50mb';
+  app.use(express.json({ limit: payloadLimit }));
 
-// Logger middleware
-app.use(morgan('combined'));
-=======
-const payloadLimit = process.env.PAYLOAD_LIMIT || '50mb';
-app.use(express.json({ limit: payloadLimit }));
+  app.use(morgan('combined'));
 
-// Logger middleware
-app.use(morgan('combined'));
-=======
+  ...
+}

[To ensure code accuracy, apply this suggestion manually]

Suggestion importance[1-10]: 9

__

Why: The suggestion correctly identifies a critical bug where the payloadLimit from the configuration is read before it is set, making the new feature non-functional. The proposed fix is correct and necessary.

High
Validate payload limit input

Validate the user-configured payloadLimit string to ensure it's in a format that
Express/body-parser can understand, and fall back to a safe default if the
format is invalid.

src/extension.ts [48-53]

 const config = vscode.workspace.getConfiguration("copilotProxy");
 const configPort = config.get("port", 3000);
-const payloadLimit = config.get("payloadLimit", "50mb");
+
+const rawPayloadLimit = String(config.get("payloadLimit", "50mb")).trim();
+const payloadLimit = /^\d+\s*(kb|mb|gb)$/i.test(rawPayloadLimit) ? rawPayloadLimit : "50mb";
+
 process.env.PAYLOAD_LIMIT = payloadLimit;
 serverInstance = startServer(configPort);
 vscode.window.showInformationMessage(`Express server started on port ${configPort} with ${payloadLimit} payload limit.`);
  • Apply / Chat
Suggestion importance[1-10]: 7

__

Why: The suggestion correctly points out that an invalid user-provided payloadLimit could cause a runtime crash. Adding validation improves the robustness and prevents unhandled exceptions.

Medium
  • More

Comment on lines +12 to +22
// Middleware to parse JSON bodies with configurable limit

// Logger middleware
app.use(morgan('combined'));
=======
const payloadLimit = process.env.PAYLOAD_LIMIT || '50mb';
app.use(express.json({ limit: payloadLimit }));

// Logger middleware
app.use(morgan('combined'));
=======

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Clean up conflict markers and duplicate middleware

Suggested change
// Middleware to parse JSON bodies with configurable limit
// Logger middleware
app.use(morgan('combined'));
=======
const payloadLimit = process.env.PAYLOAD_LIMIT || '50mb';
app.use(express.json({ limit: payloadLimit }));
// Logger middleware
app.use(morgan('combined'));
=======
// Middleware to parse JSON bodies with configurable limit
const payloadLimit = process.env.PAYLOAD_LIMIT || '50mb';
app.use(express.json({ limit: payloadLimit }));
// Logger middleware
app.use(morgan('combined'));

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

litellm.APIError: APIError: OpenAIException: PayloadTooLargeError: request entity too large

1 participant