From 1d2394e31e0e7d96f9eb35fea47d9bb30bbf39d8 Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete@docuseal.com>
Date: Thu, 19 Feb 2026 14:08:27 +0200
Subject: [PATCH] size limit

---
 lib/templates/create_attachments.rb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/templates/create_attachments.rb b/lib/templates/create_attachments.rb
index 10b08ac7..b6297a76 100644
--- a/lib/templates/create_attachments.rb
+++ b/lib/templates/create_attachments.rb
@@ -18,6 +18,7 @@ module Templates
     ].freeze
 
     ANNOTATIONS_SIZE_LIMIT = 6.megabytes
+    MAX_ZIP_SIZE = 100.megabytes
     InvalidFileType = Class.new(StandardError)
     PdfEncrypted = Class.new(StandardError)
 
@@ -72,9 +73,15 @@ module Templates
 
       Array.wrap(files).each do |file|
         if file.content_type == ZIP_CONTENT_TYPE || file.content_type == X_ZIP_CONTENT_TYPE
+          total_size = 0
+
           Zip::File.open(file.tempfile).each do |entry|
             next if entry.directory?
 
+            total_size += entry.size
+
+            raise InvalidFileType, 'zip_too_large' if total_size > MAX_ZIP_SIZE
+
             tempfile = Tempfile.new(entry.name)
             tempfile.binmode
             entry.get_input_stream { |in_stream| IO.copy_stream(in_stream, tempfile) }