File upload concerns - Githubissues

jooby-project / jooby

The modular web framework for Java and Kotlin

https://jooby.io

Apache License 2.0

1.68k stars 199 forks source link

File upload concerns #3417

Closed ogrammer closed 2 months ago

ogrammer commented 2 months ago

I am asking here because there is very little information about file uploads on the website. I see that a temporary file may be created during file upload; when does this happen?

Additionally, if a temporary file was created, there is no option to simply move it. Reading the file and then writing it again is wasteful, whereas FileUpload could ideally include a write(Path) method that would either move the temporary file (if one was made) or write it directly from memory.

Another question is: Is it possible to stop reading a file upload while in progress? For instance, an attacker could upload a very large file and the request wouldn't be aborted until the file upload is complete and my code checks the size, which could lead to a very large temporary file being written (not sure) and also spending server resources. It would be good if one can limit the file size per Jooby server instance or per route.

Thanks

jknack commented 2 months ago

The files are stored in Jooby.getTmpdir
Files are saved to disk when the ServerOptions.bufferSize (16kb) is exceed
FileUpload.path() allow you to move file somewhere else. If the file is all in memory, it will be saved to disk.
There is no partial upload support. Large files are read by chunk, but yea no user code run while reading the file.

ogrammer commented 2 months ago

Ok, thanks. Is there any possibility to add file upload size limit as a feature? I do not know the details so it might not be so but uploading a very large file could cause harm, for example the disk could run out of space (I know the file is temporary but it could cause issues). As a ServerOptions field would be good

jknack commented 2 months ago

There is one option: ServerOptions.maxRequestSize which defaults to 10mb. That option control the entire request size and results in REQUEST_ENTITY_TOO_LARGE error when exceed

ogrammer commented 2 months ago

So this means that by default you cannot upload files larger than 10mb. I think this should be mentioned on the site. It is apparent then that adding one specific for files could be useful (for example allow large request but only small file to handle small disk) but confusing then because it would be affected by maxRequestSize as well. Thank you the maxRequestSize is good to know about.

edgarespinawt commented 2 months ago

yea the maxRequestSize is the "whole" request (no matter if you have a file or not in it). The other option is how much you keep in memory when a file is part of the request. But again this can't exceed the maxRequestSize value.