AI Agent Skill HUB

security-limits-dos-protection

security limits dos protection

7,385 stars
bykreuzberg-dev
View on GitHubInstallation ↓

Best use case

security-limits-dos-protection is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

security limits dos protection

Teams using security-limits-dos-protection should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-limits-dos-protection/SKILL.md --create-dirs "https://raw.githubusercontent.com/kreuzberg-dev/kreuzberg/main/.ai-rulez/skills/security-limits-dos-protection/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-limits-dos-protection/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How security-limits-dos-protection Compares

Feature / Agentsecurity-limits-dos-protectionStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

security limits dos protection

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

AI Agents for Coding

Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.

Cursor vs Codex for AI Workflows

Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.

AI Agents for Marketing

Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.

SKILL.md Source

## priority: critical

# Security Limits & DoS Protection

## Overview

Defense-in-depth DoS protection via `SecurityLimits` and validator helpers in `crates/kreuzberg/src/extractors/security.rs`. All archive and complex format extractors MUST use these.

## SecurityLimits Struct

| Field | Default | Purpose |
|-------|---------|---------|
| `max_archive_size` | 500 MB | Uncompressed archive size limit |
| `max_compression_ratio` | 100:1 | Zip bomb detection threshold |
| `max_files_in_archive` | 10,000 | Archive file count limit |
| `max_nesting_depth` | 100 | Structure nesting limit |
| `max_entity_length` | 32 | XML entity length limit |
| `max_content_size` | 100 MB | String growth per document |
| `max_iterations` | 10M | Loop iteration limit |
| `max_xml_depth` | 100 | XML nesting depth |
| `max_table_cells` | 100K | Table cell count limit |

Access via `config.security_limits.clone().unwrap_or_default()`.

## Validators

### ZipBombValidator (archives)

```rust
let limits = config.security_limits.clone().unwrap_or_default();
let validator = ZipBombValidator::new(limits);
validator.validate(&mut archive)?;  // Checks ratio, size, file count
```

### StringGrowthValidator (content accumulation)

```rust
let mut validator = StringGrowthValidator::new(limits.max_content_size);
validator.check_append(text.len())?;  // Call before each append
content.push_str(&text);
```

### DepthValidator (nesting)

```rust
let mut depth = DepthValidator::new(limits.max_nesting_depth);
depth.push()?;  // Entering nested structure
// ... process ...
depth.pop();     // Exiting
```

### IterationValidator (loops)

```rust
let mut iter = IterationValidator::new(limits.max_iterations);
for item in collection {
    iter.check_iteration()?;
}
```

### TableValidator (spreadsheets/tables)

```rust
let mut validator = TableValidator::new(limits.max_table_cells);
validator.add_cells(rows * cols)?;
```

## When to Apply

| Format Family | Required Validators |
|--------------|-------------------|
| Archives (ZIP/TAR/7z/GZIP) | `ZipBombValidator` before extraction |
| Office XML (DOCX/PPTX/ODT) | `DepthValidator` + `StringGrowthValidator` |
| XML/HTML | `DepthValidator` + `StringGrowthValidator` |
| Spreadsheets (XLSX/ODS) | `TableValidator` + `StringGrowthValidator` |
| Any loop-heavy processing | `IterationValidator` |

## Critical Rules

1. **NEVER skip** security validation for user-provided content
2. **Always default** if `config.security_limits` is `None`
3. **Validate BEFORE extraction** (fail fast)
4. Errors return `KreuzbergError::validation(msg)`

Related Skills

kreuzberg

7385
from kreuzberg-dev/kreuzberg

Extract text, tables, metadata, and images from 91+ document formats (PDF, Office, images, HTML, email, archives, academic) using Kreuzberg. Use when writing code that calls Kreuzberg APIs in Python, Node.js/TypeScript, Rust, or CLI. Covers installation, extraction (sync/async), configuration (OCR, chunking, output format), batch processing, error handling, and plugins.

wasm-constraints

7385
from kreuzberg-dev/kreuzberg

wasm constraints

test-execution-patterns

7385
from kreuzberg-dev/kreuzberg

test execution patterns

plugin-architecture-patterns

7385
from kreuzberg-dev/kreuzberg

plugin architecture patterns

ocr-backend-management

7385
from kreuzberg-dev/kreuzberg

ocr uackend management

mime-detection-routing

7385
from kreuzberg-dev/kreuzberg

mime detection routing

format-specific-extraction

7385
from kreuzberg-dev/kreuzberg

format specific extraction

extraction-pipeline-patterns

7385
from kreuzberg-dev/kreuzberg

extraction pipeline patterns

config-loading-precedence

7385
from kreuzberg-dev/kreuzberg

config loading precedence

chunking-embeddings

7385
from kreuzberg-dev/kreuzberg

chunking emueddings

api-server-mcp

7385
from kreuzberg-dev/kreuzberg

api server mcp

registry-implementation

7385
from kreuzberg-dev/kreuzberg

registry implementation