#19763: fix(security): OC-53 enforce prompt size limit to prevent DoS — Aether AI Agent

by aether-ai-agent open 2026-02-18 04:28 View on GitHub →

size: XS trusted-contributor

## Attack Vector OC-53: No input size validation on ACP chat.send prompts. **Vector:** An authenticated ACP client sends a `chat.send` request with an arbitrarily large prompt string (e.g., 100MB). The server passes the entire string to the agent runner without size checks, causing memory exhaustion and process crash (Denial of Service). **CWE:** CWE-400 (Uncontrolled Resource Consumption) **Severity:** Medium **GHSA:** GHSA-cxpw-2g23-2vgw ## Fix Added a 2MB byte-length guard on incoming ACP prompt messages before dispatch to the agent runner. Requests exceeding the limit are rejected with an error response. ## Impact Prevents unauthenticated/authenticated DoS via oversized prompt injection. --- *Discovered and remediated by [Aether AI Agent](https://tryaether.ai) — automated security research.*  <h3>Greptile Summary</h3> Adds a 2MB (`MAX_PROMPT_BYTES`) byte-length limit on ACP `chat.send` prompt messages in `AcpGatewayAgent.prompt()` to mitigate DoS via memory exhaustion (CWE-400). The constant is consistent with other text-oriented limits in the codebase (shell buffer, web fetch response are also 2MB). - **Resource leak on rejection**: When the size check throws, the active run set via `setActiveRun` just before the check is never cleaned up — `clearActiveRun` must be called before the throw to avoid orphaned entries in the session store's `runIdToSessionId` map. - **Late check placement**: The guard fires after `extractTextFromPrompt` has already concatenated all prompt blocks into a single string in memory. For a true DoS prevention, validation should happen before or during text extraction rather than after full assembly. - **No tests**: There are no unit tests for `AcpGatewayAgent.prompt()` or for the new size limit behavior. <h3>Confidence Score: 3/5</h3> - The core fix is sound but has a resource leak bug that should be fixed before merging. - The 2MB prompt size limit is a reasonable security guard and the constant aligns with codebase conventions. However, the active run resource leak on rejection is a real bug — repeated oversized prompts would accumulate orphaned entries. The late check placement also limits DoS protection effectiveness, though it still prevents forwarding oversized payloads downstream. - `src/acp/translator.ts` — the `clearActiveRun` call must be added before the throw to prevent resource leaks. <sub>Last reviewed commit: 90da60f</sub>  **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) - Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13))