what if someone gets upload parameters for a file by sending a small file size to the get_upload_params function, and then uses this info to upload a really large file without us being able to know and even not sending a request to our server that the upload was completed.
this way a malicious user can upload large files and cost us the storage possibly without us noticing.
the reason for this is that in generate_aws_v4_signature we don't have any way of knowing if the user's message he's trying to sign has the correct file parameters in it, I suggest we find a way to parse it's content somehow and check if the file size is valid at least
this would also be helpful if you want to limit the maximum total storage limit for the user, this is why simply adding a policy in S3 for file sizes won't work.
what if someone gets upload parameters for a file by sending a small file size to the
get_upload_paramsfunction, and then uses this info to upload a really large file without us being able to know and even not sending a request to our server that the upload was completed.this way a malicious user can upload large files and cost us the storage possibly without us noticing.
the reason for this is that in
generate_aws_v4_signaturewe don't have any way of knowing if the user's message he's trying to sign has the correct file parameters in it, I suggest we find a way to parse it's content somehow and check if the file size is valid at leastthis would also be helpful if you want to limit the maximum total storage limit for the user, this is why simply adding a policy in S3 for file sizes won't work.
please correct me if I am overlooking something