#6923: fix(memory): add timeouts to Gemini batch API fetch calls (CWE-400)

by hclsys open 2026-02-02 06:15 View on GitHub →

## Summary Add `AbortSignal.timeout()` to all 4 fetch calls in `batch-gemini.ts` to prevent resource exhaustion (CWE-400) from slow/malicious Gemini API servers. Fixes #6852 ## Risk Summary - **Severity**: Medium (CWE-400 — Uncontrolled Resource Consumption) - **Regression risk**: Low — timeout values are generous (30-120s per stage) - **Scope**: Single file, 4 fetch calls ## Changes - Timeout values: 120s (upload), 30s (batch create), 30s (status poll), 60s (download) - Each timeout error includes stage-specific message and preserves original error via `{ cause: err }` - Body reading (`.json()`/`.text()`) is included in timeout scope ## Verification - [x] `pnpm build` passes - [x] `pnpm lint` passes - [x] `pnpm test` passes - [x] `pnpm vitest run src/memory` — 47 tests pass ## Sign-Off - Models used: Claude Opus 4.6 - Submitter effort: Manually reviewed batch-gemini.ts lifecycle, verified timeout values match stage duration expectations, confirmed error wrapping preserves cause chain - Agent notes: N/A lobster-biscuit