[FOLIO-3316] File upload size configuration Created: 20/Oct/21  Updated: 28/Oct/21

Status: Open
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: New Feature Priority: P3
Reporter: Hongwei Ji Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to FOLIO-3317 Spike - investigate possible file upl... Open
Sprint:
Development Team: None

 Description   

Overview

Several modules provide mechanisms for uploading files to be processed and/or attached to records.  Data import, invoices, etc. are a few examples.  I know in some cases the local storage of the container is used to temporarily store these files.  Care should be taken to ensure that a client isn't able fill up the container storage.

A recent security audit report (internal to EBSCO) included the following advice:

To prevent a potential denial of service (DoS) attack in which a threat actor can fill up disk space, recommends implementing server-side checks of the uploaded file’s size, and potentially a quota of size used per user.

Thunderjet had done some research into limiting file upload sizes a while back (for a related, but different reason).  It's probably worth reviewing what they ended up doing there to see if it's applicable.  See 

NOTE:  this is a feature, not a user story...  We'll need to do some investigation into which modules are vulnerable, and whether or not we can actually exploit this.



 Comments   
Comment by Jakub Skoczen [ 28/Oct/21 ]

Axel Dörrer is looking at the related SPIKE to evaluate the scope of this change

Generated at Thu Feb 08 23:27:12 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.