fix(uploads): enforce attachment size limits on resolved bytes

waleedlatif1 · waleedlatif1 · commit d1b3230d18a5 · 2026-06-29T12:01:13.000-07:00
Size limits were checked against userFile.size (source metadata) before
resolution, but a generated doc resolves to a larger compiled binary — so a
small-source doc could pass the pre-check yet exceed the service limit. Add a
post-resolution check on the actual resolved bytes (mirroring docusign/vanta)
across gmail send/draft/edit-draft, smtp, outlook send/draft, telegram, sftp,
and teams; the cheap source pre-check stays as an early reject.
diff --git a/apps/sim/app/api/tools/gmail/draft/route.ts b/apps/sim/app/api/tools/gmail/draft/route.ts
@@ -118,6 +118,21 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
           )
         }
 
+        // Re-check size against the RESOLVED bytes: a generated doc stores small
+        // source metadata but resolves to a larger compiled binary, so the source
+        // pre-check above can pass a payload that exceeds the limit.
+        const resolvedTotal = resolved.reduce((sum, r) => sum + r.buffer.length, 0)
+        if (resolvedTotal > maxSize) {
+          const sizeMB = (resolvedTotal / (1024 * 1024)).toFixed(2)
+          return NextResponse.json(
+            {
+              success: false,
+              error: `Total attachment size (${sizeMB}MB) exceeds Gmail's limit of 25MB`,
+            },
+            { status: 400 }
+          )
+        }
+
         const attachmentBuffers = attachments.map((file, i) => ({
           filename: file.name,
           mimeType: resolved[i].contentType || file.type || 'application/octet-stream',
diff --git a/apps/sim/app/api/tools/gmail/edit-draft/route.ts b/apps/sim/app/api/tools/gmail/edit-draft/route.ts
@@ -114,6 +114,21 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
           )
         }
 
+        // Re-check size against the RESOLVED bytes: a generated doc stores small
+        // source metadata but resolves to a larger compiled binary, so the source
+        // pre-check above can pass a payload that exceeds the limit.
+        const resolvedTotal = resolved.reduce((sum, r) => sum + r.buffer.length, 0)
+        if (resolvedTotal > maxSize) {
+          const sizeMB = (resolvedTotal / (1024 * 1024)).toFixed(2)
+          return NextResponse.json(
+            {
+              success: false,
+              error: `Total attachment size (${sizeMB}MB) exceeds Gmail's limit of 25MB`,
+            },
+            { status: 400 }
+          )
+        }
+
         const attachmentBuffers = attachments.map((file, i) => ({
           filename: file.name,
           mimeType: resolved[i].contentType || file.type || 'application/octet-stream',
diff --git a/apps/sim/app/api/tools/gmail/send/route.ts b/apps/sim/app/api/tools/gmail/send/route.ts
@@ -118,6 +118,21 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
           )
         }
 
+        // Re-check size against the RESOLVED bytes: a generated doc stores small
+        // source metadata but resolves to a larger compiled binary, so the source
+        // pre-check above can pass a payload that exceeds Gmail's limit.
+        const resolvedTotal = resolved.reduce((sum, r) => sum + r.buffer.length, 0)
+        if (resolvedTotal > maxSize) {
+          const sizeMB = (resolvedTotal / (1024 * 1024)).toFixed(2)
+          return NextResponse.json(
+            {
+              success: false,
+              error: `Total attachment size (${sizeMB}MB) exceeds Gmail's limit of 25MB`,
+            },
+            { status: 400 }
+          )
+        }
+
         const attachmentBuffers = attachments.map((file, i) => ({
           filename: file.name,
           mimeType: resolved[i].contentType || file.type || 'application/octet-stream',
diff --git a/apps/sim/app/api/tools/outlook/draft/route.ts b/apps/sim/app/api/tools/outlook/draft/route.ts
@@ -131,6 +131,21 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
           )
         }
 
+        // Re-check size against the RESOLVED bytes: a generated doc stores small
+        // source metadata but resolves to a larger compiled binary, so the source
+        // pre-check above can pass a payload that exceeds the limit.
+        const resolvedTotal = resolved.reduce((sum, r) => sum + r.buffer.length, 0)
+        if (resolvedTotal > maxSize) {
+          const sizeMB = (resolvedTotal / (1024 * 1024)).toFixed(2)
+          return NextResponse.json(
+            {
+              success: false,
+              error: `Total attachment size (${sizeMB}MB) exceeds Outlook's limit of 4MB per request`,
+            },
+            { status: 400 }
+          )
+        }
+
         const attachmentObjects = attachments.map((file, i) => ({
           '@odata.type': '#microsoft.graph.fileAttachment',
           name: file.name,
diff --git a/apps/sim/app/api/tools/outlook/send/route.ts b/apps/sim/app/api/tools/outlook/send/route.ts
@@ -131,6 +131,21 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
           )
         }
 
+        // Re-check size against the RESOLVED bytes: a generated doc stores small
+        // source metadata but resolves to a larger compiled binary, so the source
+        // pre-check above can pass a payload that exceeds the limit.
+        const resolvedTotal = resolved.reduce((sum, r) => sum + r.buffer.length, 0)
+        if (resolvedTotal > maxSize) {
+          const sizeMB = (resolvedTotal / (1024 * 1024)).toFixed(2)
+          return NextResponse.json(
+            {
+              success: false,
+              error: `Total attachment size (${sizeMB}MB) exceeds Microsoft Graph API limit of 3MB per request`,
+            },
+            { status: 400 }
+          )
+        }
+
         const attachmentObjects = attachments.map((file, i) => ({
           '@odata.type': '#microsoft.graph.fileAttachment',
           name: file.name,
diff --git a/apps/sim/app/api/tools/sftp/upload/route.ts b/apps/sim/app/api/tools/sftp/upload/route.ts
@@ -110,6 +110,17 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
             )
             const { buffer } = await downloadServableFileFromStorage(file, requestId, logger)
 
+            // Re-check size against the RESOLVED bytes: a generated doc stores small
+            // source metadata but resolves to a larger compiled binary, so the source
+            // pre-check above can pass a payload that exceeds the limit.
+            if (buffer.length > maxSize) {
+              const sizeMB = (buffer.length / (1024 * 1024)).toFixed(2)
+              return NextResponse.json(
+                { success: false, error: `Total file size (${sizeMB}MB) exceeds limit of 100MB` },
+                { status: 400 }
+              )
+            }
+
             const safeFileName = sanitizeFileName(file.name)
             const fullRemotePath = remotePath.endsWith('/')
               ? `${remotePath}${safeFileName}`
diff --git a/apps/sim/app/api/tools/smtp/send/route.ts b/apps/sim/app/api/tools/smtp/send/route.ts
@@ -151,6 +151,21 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
           )
         }
 
+        // Re-check size against the RESOLVED bytes: a generated doc stores small
+        // source metadata but resolves to a larger compiled binary, so the source
+        // pre-check above can pass a payload that exceeds the limit.
+        const resolvedTotal = resolved.reduce((sum, r) => sum + r.buffer.length, 0)
+        if (resolvedTotal > maxSize) {
+          const sizeMB = (resolvedTotal / (1024 * 1024)).toFixed(2)
+          return NextResponse.json(
+            {
+              success: false,
+              error: `Total attachment size (${sizeMB}MB) exceeds SMTP limit of 25MB`,
+            },
+            { status: 400 }
+          )
+        }
+
         const attachmentBuffers = attachments.map((file, i) => ({
           filename: file.name,
           content: resolved[i].buffer,
diff --git a/apps/sim/app/api/tools/telegram/send-document/route.ts b/apps/sim/app/api/tools/telegram/send-document/route.ts
@@ -113,6 +113,20 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
+    // Re-check size against the RESOLVED bytes: a generated doc stores small
+    // source metadata but resolves to a larger compiled binary, so the source
+    // pre-check above can pass a payload that exceeds the limit.
+    if (buffer.length > maxSize) {
+      const sizeMB = (buffer.length / (1024 * 1024)).toFixed(2)
+      return NextResponse.json(
+        {
+          success: false,
+          error: `The following files exceed Telegram's 50MB limit: ${userFile.name} (${sizeMB}MB)`,
+        },
+        { status: 400 }
+      )
+    }
+
     const resolvedMimeType = contentType || userFile.type || 'application/octet-stream'
     const filesOutput = [
       {
diff --git a/apps/sim/tools/microsoft_teams/server-utils.ts b/apps/sim/tools/microsoft_teams/server-utils.ts
@@ -81,6 +81,17 @@ export async function uploadFilesForTeamsMessage(params: {
 
     // Download file from storage
     const { buffer, contentType } = await downloadServableFileFromStorage(file, requestId, log)
+
+    // Re-check size against the RESOLVED bytes: a generated doc stores small
+    // source metadata but resolves to a larger compiled binary, so the source
+    // pre-check above can pass a payload that exceeds the limit.
+    if (buffer.length > MAX_TEAMS_FILE_SIZE) {
+      const sizeMB = (buffer.length / (1024 * 1024)).toFixed(2)
+      throw new Error(
+        `File "${file.name}" (${sizeMB}MB) exceeds the 4MB limit for Teams attachments. Use smaller files or upload to SharePoint/OneDrive first.`
+      )
+    }
+
     const resolvedMimeType = contentType || file.type || 'application/octet-stream'
     filesOutput.push({
       name: file.name,
