OBPIH-6083 Add custom MultipartResolver #4472
Conversation
drodzewicz
added
status: work in progress
drodzewicz
force-pushed
the
OBPIH-6083-fix-null-pointer-exception-while-handling-upload-document-size-limit-exception
branch
from
c3fbac5
to
e84d4b3
Compare
drodzewicz
removed
the
warn: do not merge
| @@ -177,7 +177,6 @@ grails: | |||
| controllers: | |||
| upload: | |||
| maxFileSize: 2097152 | |||
| maxRequestSize: 2097152 | |||
There was a problem hiding this comment.
I think it is not a good decision looking from the security context. Without a maximum request size, someone could send excessively large requests, overwhelming the server. This could lead to performance degradation or temporal server unavailability.
There was a problem hiding this comment.
Thanks for pointing that out, I had to check/test few things so...
The new CommonsMultipartResolver that I have implemented here receives a parameter maxUploadSize that checks the size of all of the uploaded files as a whole.
The standard multipart resolver (default one) receives parameters maxFileSize maxRequestSize and works a little differently.
the maxFileSize refers to the individual file size and maxRequestSize to the whole request size.
So in the end specifying maxFileSize: 2097152 and maxRequestSize: 2097152 is almost equivalent to maxUploadSize = 2097152
Note that maxRequestSize only sets this limit on multipart request and not all of the API calls, so if we want to secure our API a bit better we need to look for additional property that would handle this validation.
There was a problem hiding this comment.
Also, there's probably a default value for maxRequestSize that is much smaller than what we've set it to.
drodzewicz
added
needs attention
and removed
status: work in progress
| } catch (MaxUploadSizeExceededException e) { | ||
| Throwable exception = new MultipartMaxSizeException(e) | ||
| request.setAttribute("exception", exception) | ||
| throw(exception) |
There was a problem hiding this comment.
Like I said before, I would prefer to either rethrow MaxUploadSizeExceededException or follow the similar approach i.e. returning
Here's an example from a Grails 3 app
If we cannot get it working this way then I'd suggest we go with the command object with contraints apporach for now.
return new DefaultMultipartHttpServletRequest(request, new LinkedMultiValueMap<>(), new LinkedHashMap<>(), new LinkedHashMap<>());
There are other Spring approaches (@ExceptionHandler, @ControllerAdvice) that we might be able to take advantage of but some of them are supported in Spring 5 (we're using Spring 4), so we'll need to wait a bit until we can use them.
| import org.apache.commons.io.FileUtils | ||
| import org.springframework.web.multipart.MaxUploadSizeExceededException | ||
|
|
||
| class MultipartMaxSizeException extends RuntimeException { |
drodzewicz
added
status: wont do
|
As discussed on the tech huddle, iceboxing and closing |
awalkowiak
deleted the
OBPIH-6083-fix-null-pointer-exception-while-handling-upload-document-size-limit-exception
branch
No description provided.