File uploads with no MAX_CONTENT_LENGTH configured
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
The app reads request.files somewhere but never sets app.config["MAX_CONTENT_LENGTH"], so a client can upload an arbitrarily large file and exhaust disk or memory. Heuristic: a reverse proxy in front of the app may already enforce a body-size limit.
Why it matters
Without app.config["MAX_CONTENT_LENGTH"] set, Flask enforces no limit on how large an incoming request (including a file upload) can be, so a client can send a multi-gigabyte upload and exhaust the server's disk or memory before your own code ever gets a chance to reject it.
How to fix it
Set app.config["MAX_CONTENT_LENGTH"] to a byte limit appropriate for your largest legitimate upload, for example 16 * 1024 * 1024 for 16MB, near wherever the app is configured. Flask returns a 413 Request Entity Too Large automatically once this is set, with no extra code needed in the view.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo