From 362d6a3d03f595e576c08c5e71df5f7ec0d68f08 Mon Sep 17 00:00:00 2001 From: khizarshah01 Date: Mon, 23 Feb 2026 23:18:10 +0530 Subject: [PATCH] fix: limit omnichannel webhook response size --- .changeset/tender-papayas-jam.md | 5 +++++ apps/meteor/app/livechat/server/api/v1/webhooks.ts | 1 + apps/meteor/app/livechat/server/lib/webhooks.ts | 1 + 3 files changed, 7 insertions(+) create mode 100644 .changeset/tender-papayas-jam.md diff --git a/.changeset/tender-papayas-jam.md b/.changeset/tender-papayas-jam.md new file mode 100644 index 0000000000000..d9e85e6d29425 --- /dev/null +++ b/.changeset/tender-papayas-jam.md @@ -0,0 +1,5 @@ +--- +'@rocket.chat/meteor': patch +--- + +Limits Omnichannel webhook maximum response size to 10mb. diff --git a/apps/meteor/app/livechat/server/api/v1/webhooks.ts b/apps/meteor/app/livechat/server/api/v1/webhooks.ts index 4a5fdb50f7e44..276a910502d69 100644 --- a/apps/meteor/app/livechat/server/api/v1/webhooks.ts +++ b/apps/meteor/app/livechat/server/api/v1/webhooks.ts @@ -66,6 +66,7 @@ API.v1.addRoute( body: sampleData, // SECURITY: Webhooks can only be configured by users with enough privileges. It's ok to disable this check here. ignoreSsrfValidation: true, + size: 10 * 1024 * 1024, } as ExtendedFetchOptions; const webhookUrl = settings.get('Livechat_webhookUrl'); diff --git a/apps/meteor/app/livechat/server/lib/webhooks.ts b/apps/meteor/app/livechat/server/lib/webhooks.ts index b0d2cd94f80e2..661b428cc7cb8 100644 --- a/apps/meteor/app/livechat/server/lib/webhooks.ts +++ b/apps/meteor/app/livechat/server/lib/webhooks.ts @@ -29,6 +29,7 @@ export async function sendRequest( timeout, // SECURITY: Webhooks can only be configured by users with enough privileges. It's ok to disable this check here. ignoreSsrfValidation: true, + size: 10 * 1024 * 1024, }); if (result.status === 200) {