I looked into whether it was viable to allow large uploads only on routes used by authenticated, trusted users.
In summary, it didn’t seem to be viable because testing shows that the complete upload to Nginx happens before Ghost can authenticate. If an attacker wants to try a denial-of-service attack by uploading large files, they would only have to send the payload that the admin’s used.
In the end, I didn’t up recommending merging the PR I submitted after testing the order that authentication and the payload size check happen again.
More details are in the PR: feat(nginx): Trust admins to upload large files by markstos · Pull Request #1662 · TryGhost/Ghost-CLI · GitHub