FileUpload max_file_size check trusts client-reported size field

[strawgate]

Description

The store_files tool in FileUpload checks f.get("size", 0) > provider._max_file_size to enforce the file size limit, but the size field is entirely client-provided and never validated against the actual base64-encoded data payload.

A client can set size: 1 while sending an arbitrarily large data payload, completely bypassing the configured max_file_size limit.

Reproduction

import base64
from fastmcp import FastMCP
from fastmcp.apps.file_upload import FileUpload

server = FastMCP("test", providers=[FileUpload(max_file_size=100)])

big_data = base64.b64encode(b"x" * 10_000).decode()
spoofed = {
    "name": "huge.bin",
    "size": 1,  # lies about size
    "type": "application/octet-stream",
    "data": big_data,
}

# This succeeds despite max_file_size=100
result = await server.call_tool("Files___store_files", {"files": [spoofed]})

Expected behavior

The size limit should be enforced based on the actual base64 data length, not the client-reported size field.

Impact

The max_file_size setting gives a false sense of security — it can be trivially bypassed by any client that sets a small size value.

[marvin-context-protocol]

Claude finished @strawgate's task in 3m 6s —— View job

---

Triage: FileUpload max_file_size bypass via spoofed size field

• Gather context and read relevant source code
• Verify the reported behavior
• Check for existing tests around file size limits
• Provide recommendation and action plan

Confirmed. The store_files tool checks the client-supplied size field (file_upload.py:277) instead of measuring the actual base64 data payload. A client can set size: 1 and upload arbitrarily large files, completely bypassing max_file_size.

Recommendation

Compute the actual decoded size from the base64 data field in store_files and use that for the size check. Also replace the client-reported size in the file dict with the computed value so downstream storage and metadata are accurate.

Findings

The bug is in _register_tools → store_files at src/fastmcp/apps/file_upload.py:276-282:

for f in files:
    if f.get("size", 0) > provider._max_file_size:  # trusts client
        raise ValueError(...)

The size field is never validated against f["data"]. Additionally, on_store (line 200) persists the client-reported size into storage, so even the stored metadata is wrong when size is spoofed.

The existing test test_max_file_size_enforced_server_side (line 119) only tests the honest case — it sets size to the actual content length. There is no test for a spoofed size value.

Verification

Reproduced the issue exactly as described:

$ uv run python -c "
import asyncio, base64
from fastmcp import FastMCP
from fastmcp.apps.file_upload import FileUpload

async def main():
    server = FastMCP('test', providers=[FileUpload(max_file_size=100)])
    big_data = base64.b64encode(b'x' * 10_000).decode()
    spoofed = {'name': 'huge.bin', 'size': 1, 'type': 'application/octet-stream', 'data': big_data}
    try:
        result = await server.call_tool('Files___store_files', {'files': [spoofed]})
        print(f'BUG CONFIRMED: upload succeeded with 10000 bytes despite max_file_size=100')
    except Exception as e:
        print(f'Rejected as expected: {e}')

asyncio.run(main())
"
BUG CONFIRMED: upload succeeded with 10000 bytes despite max_file_size=100

Detailed Action Plan

File to change: src/fastmcp/apps/file_upload.py

In _register_tools → store_files (lines 274–283), replace the size check with one that computes actual size from the base64 data:

@self.tool()
def store_files(files: list[dict], ctx: Context) -> list[dict]:
    """Store uploaded files. Receives file objects with name, size, type, data (base64)."""
    for f in files:
        data = f.get("data", "")
        actual_size = len(base64.b64decode(data))
        f["size"] = actual_size  # correct the client-reported size
        if actual_size > provider._max_file_size:
            raise ValueError(
                f"File {f.get('name', '?')!r} exceeds max size "
                f"({_format_size(actual_size)} > "
                f"{_format_size(provider._max_file_size)})"
            )
    return provider.on_store(files, ctx)

Key points:

1. base64.b64decode(data) gives the actual decoded bytes — use len() for the real size. This also validates the base64 encoding.
2. Overwrite f["size"] with the actual size so on_store and downstream metadata reflect reality.
3. base64 is already imported at line 63.

Test file to change: tests/apps/test_file_upload.py

Add a test for the spoofed size bypass:

async def test_max_file_size_not_bypassed_by_spoofed_size(self):
    server = FastMCP("test", providers=[FileUpload(max_file_size=100)])
    big_data = base64.b64encode(b"x" * 200).decode()
    spoofed = {"name": "big.bin", "size": 1, "type": "application/octet-stream", "data": big_data}

    with pytest.raises(Exception, match="exceeds max size"):
        await server.call_tool("Files___store_files", {"files": [spoofed]})

Related Files

Repository	File	Relevance	Sections
PrefectHQ/fastmcp	src/fastmcp/apps/file_upload.py	Contains the store_files tool with the vulnerable size check	276-282
PrefectHQ/fastmcp	tests/apps/test_file_upload.py	Existing test only covers honest size values	119-124

---

Marvin Context Protocol | Type /marvin to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.