<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:27:13 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3316] File upload size configuration</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3316</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;h2&gt;&lt;a name=&quot;Overview&quot;&gt;&lt;/a&gt;Overview&lt;/h2&gt;

&lt;p&gt;Several modules provide mechanisms for uploading files to be processed and/or attached to records.&#160; Data import, invoices, etc. are a few examples.&#160; I know in some cases the local storage of the container is used to temporarily store these files.&#160; Care should be taken to ensure that a client isn&apos;t able fill up the container storage.&lt;/p&gt;

&lt;p&gt;A recent security audit report (internal to EBSCO) included the following advice:&lt;/p&gt;

&lt;p&gt;&lt;b&gt;To prevent a potential denial of service (DoS) attack in which a threat actor can fill up disk space, recommends implementing server-side checks of the uploaded file&#8217;s size, and potentially a quota of size used per user.&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;Thunderjet had done some research into limiting file upload sizes a while back (for a related, but different reason).&#160; It&apos;s probably worth reviewing what they ended up doing there to see if it&apos;s applicable.&#160; See&#160;&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;a href=&quot;https://folio-org.atlassian.net/browse/MODINVOICE-142&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/MODINVOICE-142&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://folio-org.atlassian.net/browse/MODINVOICE-124&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/MODINVOICE-124&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://folio-org.atlassian.net/wiki/display/FOLIJET/Spike%3A+Investigate+limiting+document+size+on+upload&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/wiki/display/FOLIJET/Spike%3A+Investigate+limiting+document+size+on+upload&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;&lt;b&gt;NOTE&lt;/b&gt;:&#160; this is a feature, not a user story...&#160; We&apos;ll need to do some investigation into which modules are vulnerable, and whether or not we can actually exploit this.&lt;/p&gt;</description>
                <environment></environment>
        <key id="79799">FOLIO-3316</key>
            <summary>File upload size configuration</summary>
                <type id="10002" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10322?size=medium">New Feature</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="1" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/open.png" description="The issue is open and ready for the assignee to start work on it.">Open</status>
                    <statusCategory id="2" key="new" colorName="blue-gray"/>
                                    <resolution id="-1">Unresolved</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="557058:4f6bed01-40a6-48d5-8471-7ef21f5ea97c">Hongwei Ji</reporter>
                                    <labels>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Wed, 20 Oct 2021 18:01:37 +0000</created>
                <updated>Thu, 28 Oct 2021 15:21:05 +0000</updated>
                                                                                <due></due>
                            <votes>0</votes>
                                    <watches>2</watches>
                                                                <comments>
                                                            <comment id="189756" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Thu, 28 Oct 2021 15:21:05 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=712020%3Ad28f3303-d132-4a90-a1e4-02884a0fd949&quot; class=&quot;user-hover&quot; rel=&quot;712020:d28f3303-d132-4a90-a1e4-02884a0fd949&quot; data-account-id=&quot;712020:d28f3303-d132-4a90-a1e4-02884a0fd949&quot; accountid=&quot;712020:d28f3303-d132-4a90-a1e4-02884a0fd949&quot; rel=&quot;noreferrer&quot;&gt;Axel D&#246;rrer&lt;/a&gt; is looking at the related SPIKE to evaluate the scope of this change&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="79801">FOLIO-3317</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10168"><![CDATA[None]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i03k2v:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 28 Oct 2021 15:21:05 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>