<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:27:13 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3317] Spike - investigate possible file upload vulnerability</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3317</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;h2&gt;&lt;a name=&quot;Overview&quot;&gt;&lt;/a&gt;Overview&lt;/h2&gt;

&lt;p&gt;Several modules provide mechanisms for uploading files to be processed and/or attached to records.&#160; Data import, invoices, etc. are a few examples.&#160; I know in some cases the local storage of the container is used to temporarily store these files.&#160; Care should be taken to ensure that a client isn&apos;t able fill up the container storage.&lt;/p&gt;

&lt;p&gt;A recent security audit report (internal to EBSCO) included the following advice:&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;To prevent a potential denial of service (DoS) attack in which a threat actor can fill up disk space, recommends implementing server-side checks of the uploaded file&#8217;s size, and potentially a quota of size used per user.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Thunderjet had done some research into limiting file upload sizes a while back (for a related, but different reason).&#160; It&apos;s probably worth reviewing what they ended up doing there to see if it&apos;s applicable.&#160; See&#160;&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;a href=&quot;https://folio-org.atlassian.net/browse/MODINVOICE-142&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/MODINVOICE-142&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://folio-org.atlassian.net/browse/MODINVOICE-124&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/MODINVOICE-124&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://folio-org.atlassian.net/wiki/display/FOLIJET/Spike%3A+Investigate+limiting+document+size+on+upload&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/wiki/display/FOLIJET/Spike%3A+Investigate+limiting+document+size+on+upload&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Vert.x: A file upload in Vert.x doesn&apos;t automatically create a file on disk. It provides chunks of the file in memory to avoid memory exhaustion: &lt;a href=&quot;https://vertx.io/docs/vertx-core/java/#_handling_form_file_uploads&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://vertx.io/docs/vertx-core/java/#_handling_form_file_uploads&lt;/a&gt; . For the size limit of multi-part forms see &lt;a href=&quot;https://vertx.io/docs/vertx-core/java/#_handling_html_forms&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://vertx.io/docs/vertx-core/java/#_handling_html_forms&lt;/a&gt; and 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;RMB-856&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/RMB-856&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Make maxFormAttributeSize configurable&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            RMB-856
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;The purpose of this spike is to&#160;do some investigation into which modules are vulnerable, and whether or not we can actually exploit this.&lt;/b&gt;&lt;/p&gt;

&lt;h2&gt;&lt;a name=&quot;AcceptanceCriteria&quot;&gt;&lt;/a&gt;Acceptance Criteria&lt;/h2&gt;

&lt;ul&gt;
	&lt;li&gt;spike findings are documented&lt;/li&gt;
	&lt;li&gt;stories are created (and tagged w/ security) for addressing the problem in modules identified&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;&#160;&lt;/p&gt;

&lt;h4&gt;&lt;a name=&quot;Investigationonmoduleswithuploadcapabilties&quot;&gt;&lt;/a&gt;Investigation on modules with upload capabilties&lt;/h4&gt;

&lt;div class=&apos;table-wrap&apos;&gt;
&lt;table class=&apos;confluenceTable&apos;&gt;&lt;tbody&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Module&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;endpoint&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;upload purpose&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;upload file limited&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;JIRA Ticket(s)&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Inspected Class&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Note&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;mod-agreements&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;/erm/files&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;external license documents, supplementary documents, eResource metadata import (json/kbart)&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;yes&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&amp;nbsp;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&lt;a href=&quot;https://github.com/folio-org/mod-agreements/blob/9a4ae8d35fb02716b0334f87f7642f40c57b5a0a/service/grails-app/conf/application.yml&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;Setting for Grails upload props&lt;/a&gt;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&amp;nbsp;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;mod-data-export&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;/data-export/file-definitions&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;record IDs or CQL&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;no&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;MDEXP-487&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/MDEXP-487&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Spike: Limit file upload size&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            MDEXP-487
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&lt;a href=&quot;https://github.com/folio-org/mod-data-export/blob/66da290e5c077c0453de9d29a0ed2840f495979f/src/main/java/org/folio/rest/impl/DataExportImplFileDefinitionImpl.java&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;DataExportImplFileDefinitionImpl.java&lt;/a&gt;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&amp;nbsp;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;mod-data-import&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;/data-import/uploadDefinitions&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;import of bibliografic data as well as finance data&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;no&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&lt;ins&gt;MODDATAIMP-608&lt;/ins&gt;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&lt;a href=&quot;https://github.com/folio-org/mod-data-import/blob/9dc685f5e2dc436e1146b9b32db04069ae75a853/src/main/java/org/folio/rest/impl/DataImportImpl.java&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;DataImportImpl.java&lt;/a&gt;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&amp;nbsp;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;mod-erm-usage&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;/erm-usage/files&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;counter reports, non-counter-reports&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;no&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&lt;ins&gt;MODEUS-139&lt;/ins&gt;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&lt;a href=&quot;https://github.com/folio-org/mod-erm-usage/blob/ecc58db3acc11c218855adebe4bdfd7e67b4b26b/mod-erm-usage-server/src/main/java/org/folio/rest/impl/ErmUsageFilesAPI.java&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;ErmUsageFilesAPI.java&lt;/a&gt;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&amp;nbsp;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;mod-finc-config&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&amp;nbsp;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&amp;nbsp;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;no&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;
    &lt;span class=&quot;jira-issue-macro&quot; data-jira-key=&quot;UIFC-262&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/UIFC-262&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Limit file upload size&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            UIFC-262
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-complete jira-macro-single-issue-export-pdf&quot;&gt;Open&lt;/span&gt;
            &lt;/span&gt;
&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&lt;a href=&quot;https://github.com/folio-org/mod-finc-config/blob/37764c04d1a80939587ccd1f861cc03b33744f8d/src/main/java/org/folio/rest/impl/FincSelectFilesAPI.java&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;&lt;ins&gt;FincSelectFilesAPI.java&lt;/ins&gt;&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://github.com/folio-org/mod-finc-config/blob/37764c04d1a80939587ccd1f861cc03b33744f8d/src/main/java/org/folio/rest/impl/FincConfigFilesAPI.java&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;&lt;ins&gt;FincConfigFilesAPI.java&lt;/ins&gt;&lt;/a&gt;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&amp;nbsp;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;mod-invoice&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;/invoice/invoices&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;invoice documents&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;yes&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;MODINVOICE-142&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/MODINVOICE-142&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Spike: Investigate limiting document size on upload for application/octet-stream POST&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            MODINVOICE-142
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
&lt;br/&gt;

    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;MODINVOICE-124&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/MODINVOICE-124&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Limit document size&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium&quot; /&gt;
            MODINVOICE-124
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&lt;a href=&quot;https://github.com/folio-org/mod-invoice/blob/16cd74fb773e551015d98c42bdcf4cdac376fd1f/src/main/java/org/folio/rest/impl/InvoicesImpl.java&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;InvoicesImpl.java&lt;/a&gt;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&amp;nbsp;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;mod-licences&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;/licences/files&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;core documents, supplementary documents&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;yes&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&amp;nbsp;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&lt;a href=&quot;https://github.com/folio-org/mod-licenses/blob/2475b0c4e7c0c3d9a7eb34739c1987fb7318c4e5/service/grails-app/conf/application.yml&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;Setting for Grails upload props&lt;/a&gt;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&amp;nbsp;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;mod-saml-login&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;-&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Identity Provider Metadata download&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&amp;nbsp;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&amp;nbsp;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&lt;a href=&quot;https://github.com/folio-org/mod-login-saml/blob/e744941eba8571cde5bce627b2c12bd132bf6d9e/src/main/java/org/folio/config/SamlClientLoader.java&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;SamlClientLoader.java&lt;/a&gt;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;URL is handed over to pac4j with uses org.opensaml.saml.metadata.resolver.MetadataResolver to resolve metadata from an URL&lt;br/&gt;
--&amp;gt; out of scope&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;/div&gt;
</description>
                <environment></environment>
        <key id="79801">FOLIO-3317</key>
            <summary>Spike - investigate possible file upload vulnerability</summary>
                <type id="10003" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium">Task</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="1" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/open.png" description="The issue is open and ready for the assignee to start work on it.">Open</status>
                    <statusCategory id="2" key="new" colorName="blue-gray"/>
                                    <resolution id="-1">Unresolved</resolution>
                                                        <assignee accountid="712020:d28f3303-d132-4a90-a1e4-02884a0fd949">Axel D&#246;rrer</assignee>
                                                                <reporter accountid="557058:4f6bed01-40a6-48d5-8471-7ef21f5ea97c">Hongwei Ji</reporter>
                                    <labels>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Thu, 21 Oct 2021 15:26:33 +0000</created>
                <updated>Wed, 7 Dec 2022 19:19:52 +0000</updated>
                                                                                <due></due>
                            <votes>0</votes>
                                    <watches>4</watches>
                                                                    <issuelinks>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="79799">FOLIO-3316</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="35466">MODEUS-139</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="66473">MODINVOICE-124</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="34460">MODEXPS-51</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="57517">RMB-856</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="82389">FOLIO-3522</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="32099">UIFC-262</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="63892">MDEXP-487</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="75355">RSRVR-114</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="39125">VERTXLIB-35</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10168"><![CDATA[None]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i03k8v:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    </customfields>
    </item>
</channel>
</rss>