-
-
Notifications
You must be signed in to change notification settings - Fork 403
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OBPIH-6083 Add custom MultipartResolver #4472
OBPIH-6083 Add custom MultipartResolver #4472
Conversation
c3fbac5
to
e84d4b3
Compare
@@ -177,7 +177,6 @@ grails: | |||
controllers: | |||
upload: | |||
maxFileSize: 2097152 | |||
maxRequestSize: 2097152 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is not a good decision looking from the security context. Without a maximum request size, someone could send excessively large requests, overwhelming the server. This could lead to performance degradation or temporal server unavailability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pointing that out, I had to check/test few things so...
The new CommonsMultipartResolver
that I have implemented here receives a parameter maxUploadSize
that checks the size of all of the uploaded files as a whole.
The standard multipart resolver (default one) receives parameters maxFileSize
maxRequestSize
and works a little differently.
the maxFileSize
refers to the individual file size and maxRequestSize
to the whole request size.
So in the end specifying maxFileSize: 2097152
and maxRequestSize: 2097152
is almost equivalent to maxUploadSize = 2097152
Note that maxRequestSize
only sets this limit on multipart request and not all of the API calls, so if we want to secure our API a bit better we need to look for additional property that would handle this validation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, there's probably a default value for maxRequestSize that is much smaller than what we've set it to.
} catch (MaxUploadSizeExceededException e) { | ||
Throwable exception = new MultipartMaxSizeException(e) | ||
request.setAttribute("exception", exception) | ||
throw(exception) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like I said before, I would prefer to either rethrow MaxUploadSizeExceededException or follow the similar approach i.e. returning
Here's an example from a Grails 3 app
If we cannot get it working this way then I'd suggest we go with the command object with contraints apporach for now.
return new DefaultMultipartHttpServletRequest(request, new LinkedMultiValueMap<>(), new LinkedHashMap<>(), new LinkedHashMap<>());
There are other Spring approaches (@ExceptionHandler, @ControllerAdvice) that we might be able to take advantage of but some of them are supported in Spring 5 (we're using Spring 4), so we'll need to wait a bit until we can use them.
import org.apache.commons.io.FileUtils | ||
import org.springframework.web.multipart.MaxUploadSizeExceededException | ||
|
||
class MultipartMaxSizeException extends RuntimeException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove this class.
As discussed on the tech huddle, iceboxing and closing |
No description provided.