fix(security): pin tight read bounds on JSON responses; cap actual ZIP bytes

Addresses the Copilot review on PR #2442 and the same pattern elsewhere.

- safe_extract_zip(): track the cumulative bytes actually written and fail past
  max_total_bytes, so the total-size bound holds even if member headers
  understate file_size (the declared-total check alone could be evaded). Mirrors
  the existing per-member written guard — defense-in-depth consistency.
- Pass an explicit max_bytes to read_response_limited() at every JSON call site
  instead of inheriting the 50 MiB archive/payload default:
    * MAX_JSON_METADATA_BYTES (1 MiB): Azure AD token, GitHub release metadata,
      and the existing latest-release fetch (migrated off an inline literal).
    * MAX_JSON_CATALOG_BYTES (8 MiB): preset, extension, workflow and
      integration catalog fetches.
  Binary/archive downloads keep the 50 MiB ceiling.

Both ceilings are centralized as documented constants in _download_security.py.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: PascalThuet

src/specify_cli/_download_security.py

@@ -18,6 +18,20 @@
 MAX_ZIP_MEMBER_BYTES = 10 * 1024 * 1024
 MAX_ZIP_TOTAL_BYTES = 50 * 1024 * 1024
 READ_CHUNK_SIZE = 1024 * 1024
+
+# Tighter ceilings for responses that are read fully into memory and parsed as
+# JSON. The 50 MiB MAX_DOWNLOAD_BYTES default is sized for archive/payload
+# downloads; JSON responses are far smaller, so capping them close to their real
+# size shrinks the memory-DoS surface and keeps the "too large" error reachable
+# (rather than only triggering on tens of MiB). Pass the matching constant
+# explicitly at each JSON call site so the intended bound is pinned there.
+#   * METADATA — fixed-shape single-object responses (an OAuth token, one
+#     release's metadata): a few KiB in practice, 1 MiB is already generous.
+#   * CATALOG — listings that grow with the number of published items. The
+#     largest bundled catalog is ~130 KiB today, so 8 MiB leaves ~60x headroom
+#     for growth while staying well under the download ceiling.
+MAX_JSON_METADATA_BYTES = 1 * 1024 * 1024
+MAX_JSON_CATALOG_BYTES = 8 * 1024 * 1024
 SHA256_RE = re.compile(r"^[0-9a-fA-F]{64}$")
 
 
@@ -263,6 +277,11 @@ def safe_extract_zip(
 
             normalized_members.append((member, normalized_name))
 
+        # The loop above bounds the *declared* total via member.file_size, but a
+        # crafted archive can understate those headers. Mirror the per-member
+        # guard below with a cumulative count of the bytes actually written so
+        # the total-size bound holds even when the headers lie.
+        total_written = 0
         for member, normalized_name in normalized_members:
             member_path = target_dir / normalized_name
             if member.is_dir():
@@ -298,6 +317,13 @@ def safe_extract_zip(
                                 f"ZIP member {member.filename} exceeds maximum size "
                                 f"of {max_member_bytes} bytes",
                             )
+                        total_written += len(chunk)
+                        if total_written > max_total_bytes:
+                            _raise(
+                                error_type,
+                                f"ZIP archive exceeds maximum uncompressed size "
+                                f"of {max_total_bytes} bytes",
+                            )
                         dest.write(chunk)
             except (OSError, zipfile.BadZipFile, RuntimeError) as exc:
                 _raise_from(

src/specify_cli/_github_http.py

@@ -121,7 +121,10 @@ def resolve_github_release_asset_api_url(
     import json
     import urllib.error
 
-    from specify_cli._download_security import read_response_limited
+    from specify_cli._download_security import (
+        MAX_JSON_METADATA_BYTES,
+        read_response_limited,
+    )
 
     parsed = urlparse(download_url)
     parts = [unquote(part) for part in parsed.path.strip("/").split("/")]
@@ -152,7 +155,9 @@ def resolve_github_release_asset_api_url(
         with open_url_fn(release_url, timeout=timeout) as response:
             release_data = json.loads(
                 read_response_limited(
-                    response, label=f"GitHub release metadata {release_url}"
+                    response,
+                    max_bytes=MAX_JSON_METADATA_BYTES,
+                    label=f"GitHub release metadata {release_url}",
                 )
             )
     # ValueError covers both an oversized body (raised by read_response_limited)

src/specify_cli/_version.py

@@ -29,7 +29,7 @@
 from packaging.version import InvalidVersion, Version
 
 from ._console import console
-from ._download_security import read_response_limited
+from ._download_security import MAX_JSON_METADATA_BYTES, read_response_limited
 
 GITHUB_API_LATEST = "https://api.github.com/repos/github/spec-kit/releases/latest"
 _RESOLUTION_FAILURE_OFFLINE = "offline or timeout"
@@ -123,7 +123,7 @@ def _fetch_latest_release_tag() -> tuple[str | None, str | None]:
             payload = json.loads(
                 read_response_limited(
                     resp,
-                    max_bytes=1024 * 1024,
+                    max_bytes=MAX_JSON_METADATA_BYTES,
                     label="GitHub latest release",
                 ).decode("utf-8")
             )

src/specify_cli/authentication/azure_devops.py

@@ -113,7 +113,10 @@ def _acquire_via_client_credentials(entry: AuthConfigEntry) -> str | None:
             headers={"Content-Type": "application/x-www-form-urlencoded"},
         )
         try:
-            from specify_cli._download_security import read_response_limited
+            from specify_cli._download_security import (
+                MAX_JSON_METADATA_BYTES,
+                read_response_limited,
+            )
             from specify_cli.authentication.http import _StripAuthOnRedirect
 
             # A 307/308 redirect preserves the POST body, which carries the
@@ -125,6 +128,7 @@ def _acquire_via_client_credentials(entry: AuthConfigEntry) -> str | None:
                 payload = _json.loads(
                     read_response_limited(
                         resp,
+                        max_bytes=MAX_JSON_METADATA_BYTES,
                         error_type=_TokenResponseTooLarge,
                         label="Azure DevOps token response",
                     ).decode("utf-8")

src/specify_cli/extensions.py

@@ -25,6 +25,7 @@
 from packaging.specifiers import SpecifierSet, InvalidSpecifier
 
 from ._download_security import (
+    MAX_JSON_CATALOG_BYTES,
     read_response_limited,
     safe_extract_zip,
     verify_sha256,
@@ -2022,6 +2023,7 @@ def _fetch_single_catalog(self, entry: CatalogEntry, force_refresh: bool = False
                 catalog_data = json.loads(
                     read_response_limited(
                         response,
+                        max_bytes=MAX_JSON_CATALOG_BYTES,
                         error_type=ExtensionError,
                         label=f"extension catalog {entry.url}",
                     )
@@ -2144,6 +2146,7 @@ def fetch_catalog(self, force_refresh: bool = False) -> Dict[str, Any]:
                 catalog_data = json.loads(
                     read_response_limited(
                         response,
+                        max_bytes=MAX_JSON_CATALOG_BYTES,
                         error_type=ExtensionError,
                         label=f"extension catalog {catalog_url}",
                     )

src/specify_cli/integrations/catalog.py

@@ -21,7 +21,7 @@
 import yaml
 from packaging import version as pkg_version
 
-from .._download_security import read_response_limited
+from .._download_security import MAX_JSON_CATALOG_BYTES, read_response_limited
 from ..catalogs import CatalogEntry, CatalogStackBase
 
 
@@ -174,6 +174,7 @@ def _fetch_single_catalog(
                 catalog_data = json.loads(
                     read_response_limited(
                         resp,
+                        max_bytes=MAX_JSON_CATALOG_BYTES,
                         error_type=IntegrationCatalogError,
                         label=f"integration catalog {entry.url}",
                     )

src/specify_cli/presets.py

@@ -27,6 +27,7 @@
 from packaging.specifiers import SpecifierSet, InvalidSpecifier
 
 from ._download_security import (
+    MAX_JSON_CATALOG_BYTES,
     read_response_limited,
     safe_extract_zip,
     verify_sha256,
@@ -2092,6 +2093,7 @@ def _fetch_single_catalog(self, entry: PresetCatalogEntry, force_refresh: bool =
                 catalog_data = json.loads(
                     read_response_limited(
                         response,
+                        max_bytes=MAX_JSON_CATALOG_BYTES,
                         error_type=PresetError,
                         label=f"preset catalog {entry.url}",
                     )
@@ -2191,6 +2193,7 @@ def fetch_catalog(self, force_refresh: bool = False) -> Dict[str, Any]:
                 catalog_data = json.loads(
                     read_response_limited(
                         response,
+                        max_bytes=MAX_JSON_CATALOG_BYTES,
                         error_type=PresetError,
                         label=f"preset catalog {catalog_url}",
                     )

src/specify_cli/workflows/catalog.py

@@ -19,7 +19,7 @@
 
 import yaml
 
-from specify_cli._download_security import read_response_limited
+from specify_cli._download_security import MAX_JSON_CATALOG_BYTES, read_response_limited
 
 
 # ---------------------------------------------------------------------------
@@ -348,6 +348,7 @@ def _validate_catalog_url(url: str) -> None:
                 data = json.loads(
                     read_response_limited(
                         resp,
+                        max_bytes=MAX_JSON_CATALOG_BYTES,
                         error_type=WorkflowCatalogError,
                         label="workflow catalog",
                     ).decode("utf-8")

tests/test_download_security.py

@@ -228,6 +228,50 @@ def test_safe_extract_zip_rejects_total_uncompressed_size(tmp_path):
         safe_extract_zip(zip_path, tmp_path / "out", max_total_bytes=5)
 
 
+def test_safe_extract_zip_bounds_actual_written_bytes_when_headers_understate_size(
+    tmp_path, monkeypatch
+):
+    # Defense in depth: the pre-extraction check sums the *declared*
+    # member.file_size values, which a crafted archive can understate so that
+    # check passes. If the ZIP reader then yields more bytes than the header
+    # promised, the extraction loop must still abort once the cumulative bytes
+    # actually written exceed max_total_bytes. CPython's own zipfile happens to
+    # bound member reads to file_size and CRC-check them, so we substitute a
+    # reader that does not — exercising our guard rather than the stdlib's.
+    zip_path = tmp_path / "liar.zip"
+    with zipfile.ZipFile(zip_path, "w") as zf:
+        zf.writestr("a.txt", "")  # declared file_size 0 ⇒ declared total stays 0
+        zf.writestr("b.txt", "")
+
+    class _OverreadingStream:
+        """A member reader that yields more bytes than any header declared."""
+
+        def __init__(self, payload: bytes):
+            self._remaining = payload
+
+        def read(self, size: int = -1) -> bytes:
+            if size is None or size < 0:
+                size = len(self._remaining)
+            out, self._remaining = self._remaining[:size], self._remaining[size:]
+            return out
+
+        def __enter__(self):
+            return self
+
+        def __exit__(self, *exc):
+            return False
+
+    # Each member streams 8 bytes despite declaring 0; the per-member cap (10 MiB
+    # default) is untouched, so only the cumulative guard can stop this.
+    monkeypatch.setattr(
+        zipfile.ZipFile, "open", lambda self, *a, **k: _OverreadingStream(b"x" * 8)
+    )
+
+    # 8 bytes for "a.txt" (total 8 ≤ 12), then "b.txt" busts the 12-byte ceiling.
+    with pytest.raises(ValueError, match="maximum uncompressed size"):
+        safe_extract_zip(zip_path, tmp_path / "out", max_total_bytes=12)
+
+
 def test_safe_extract_zip_wraps_bad_zip_file(tmp_path):
     zip_path = tmp_path / "bad.zip"
     zip_path.write_bytes(b"not a zip archive")