security: TOCTOU in file transfer between stat() and read_bytes()

## Description

In the file transfer module, there is a time-of-check-to-time-of-use (TOCTOU) gap between calling `stat()` to check file size and `read_bytes()` to read the file content. A file that grows between these two calls (e.g. an actively written log file) could exceed the size limit and cause unexpected memory consumption.

## Affected files

- `src/untether/telegram/file_transfer.py:584-592`

## Impact

Memory spike if a file grows between size check and read. Low practical risk since file transfers typically target static files.

## Recommended fix

Use streaming read with an explicit size limit:

```python
with open(path, "rb") as f:
    content = f.read(max_size + 1)
    if len(content) > max_size:
        raise ValueError(f"File exceeds {max_size} byte limit")
```

## Severity

LOW — requires specific timing conditions with growing files.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

security: TOCTOU in file transfer between stat() and read_bytes() #211

Description

Affected files

Impact

Recommended fix

Severity

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

security: TOCTOU in file transfer between stat() and read_bytes() #211

Description

Description

Affected files

Impact

Recommended fix

Severity

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions