Overview
Several modules provide mechanisms for uploading files to be processed and/or attached to records. Data import, invoices, etc. are a few examples. I know in some cases the local storage of the container is used to temporarily store these files. Care should be taken to ensure that a client isn't able fill up the container storage.
A recent security audit report (internal to EBSCO) included the following advice:
To prevent a potential denial of service (DoS) attack in which a threat actor can fill up disk space, recommends implementing server-side checks of the uploaded file’s size, and potentially a quota of size used per user.
Thunderjet had done some research into limiting file upload sizes a while back (for a related, but different reason). It's probably worth reviewing what they ended up doing there to see if it's applicable. See
NOTE: this is a feature, not a user story... We'll need to do some investigation into which modules are vulnerable, and whether or not we can actually exploit this.
|