From 799ca8c5f9db1da604b837fa12047e5808bab796 Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Mon, 9 Mar 2026 00:42:23 +0000
Subject: [PATCH] fix: enhance decompression limit check to prevent false
 positives for valid files

---
 backend/internal/services/backup_service.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/backend/internal/services/backup_service.go b/backend/internal/services/backup_service.go
index 9cfcc7ba..82e672ea 100644
--- a/backend/internal/services/backup_service.go
+++ b/backend/internal/services/backup_service.go
@@ -750,12 +750,13 @@ func (s *BackupService) unzipWithSkip(src, dest string, skipEntries map[string]s
 			return err
 		}
 
-		// Limit decompressed size to prevent decompression bombs (100MB limit)
+		// Limit decompressed size to prevent decompression bombs (100MB limit).
+		// Use max+1 so lr.N == 0 only when a byte beyond the limit was consumed,
+		// avoiding a false positive for files that are exactly maxDecompressedSize.
 		const maxDecompressedSize = 100 * 1024 * 1024 // 100MB
-		lr := &io.LimitedReader{R: rc, N: maxDecompressedSize}
+		lr := &io.LimitedReader{R: rc, N: maxDecompressedSize + 1}
 		_, err = io.Copy(outFile, lr)
 
-		// Verify we didn't hit the limit (potential attack)
 		if err == nil && lr.N == 0 {
 			err = fmt.Errorf("file %s exceeded decompression limit (%d bytes), potential decompression bomb", f.Name, maxDecompressedSize)
 		}