-
Notifications
You must be signed in to change notification settings - Fork 896
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make annotated services reject the multipart requests that contain an uninjectable file upload #5549
Labels
Milestone
Comments
If it's not urgent, I'll give it a try. |
Sure. Why not? 😄 |
Bue-von-hon
added a commit
to Bue-von-hon/armeria
that referenced
this issue
Apr 5, 2024
Motivation: this resolves line#5549 Modifications: - Fix(AnnotatedServiceMultipartTest): Add test for upload multipart file with unexpected parameters in AnnotatedServiceMultipartTest. - Fix(AnnotatedService): Fix to include a list of intended parameters in the ServiceRequestContext. - Fix(FileAggregatedMultipart): Fix to check if any variables are passed in the list of intended parameters and throw an acceptance if not. Result: Multipart requests with unintended parameters will no longer create files.
Bue-von-hon
added a commit
to Bue-von-hon/armeria
that referenced
this issue
Apr 5, 2024
Motivation: this resolves line#5549 Modifications: - Fix(AnnotatedServiceMultipartTest): Add test for upload multipart file with unexpected parameters in AnnotatedServiceMultipartTest. - Fix(AnnotatedService): Fix to include a list of intended parameters in the ServiceRequestContext. - Fix(FileAggregatedMultipart): Fix to check if any variables are passed in the list of intended parameters and throw an acceptance if not. Result: Multipart requests with unintended parameters will no longer create files.
Bue-von-hon
added a commit
to Bue-von-hon/armeria
that referenced
this issue
May 17, 2024
Motivation: this resolves line#5549 Modifications: - Fix(AnnotatedServiceMultipartTest): Add test for upload multipart file with unexpected parameters in AnnotatedServiceMultipartTest. - Fix(AnnotatedService): Fix to include a list of intended parameters in the ServiceRequestContext. - Fix(FileAggregatedMultipart): Fix to check if any variables are passed in the list of intended parameters and throw an acceptance if not. Result: Multipart requests with unintended parameters will no longer create files.
Bue-von-hon
added a commit
to Bue-von-hon/armeria
that referenced
this issue
May 17, 2024
Motivation: this resolves line#5549 Modifications: - Fix(AnnotatedServiceMultipartTest): Add test for upload multipart file with unexpected parameters in AnnotatedServiceMultipartTest. - Fix(AnnotatedService): Fix to include a list of intended parameters in the ServiceRequestContext. - Fix(FileAggregatedMultipart): Fix to check if any variables are passed in the list of intended parameters and throw an acceptance if not. Result: Multipart requests with unintended parameters will no longer create files.
Bue-von-hon
added a commit
to Bue-von-hon/armeria
that referenced
this issue
May 17, 2024
Motivation: this resolves line#5549 Modifications: - Fix(AnnotatedServiceMultipartTest): Add test for upload multipart file with unexpected parameters in AnnotatedServiceMultipartTest. - Fix(AnnotatedService): Fix to include a list of intended parameters in the ServiceRequestContext. - Fix(FileAggregatedMultipart): Fix to check if any variables are passed in the list of intended parameters and throw an acceptance if not. Result: Multipart requests with unintended parameters will no longer create files.
Bue-von-hon
added a commit
to Bue-von-hon/armeria
that referenced
this issue
May 17, 2024
Motivation: this resolves line#5549 Modifications: - Fix(AnnotatedServiceMultipartTest): Add test for upload multipart file with unexpected parameters in AnnotatedServiceMultipartTest. - Fix(AnnotatedService): Fix to include a list of intended parameters in the ServiceRequestContext. - Fix(FileAggregatedMultipart): Fix to check if any variables are passed in the list of intended parameters and throw an acceptance if not. Result: Multipart requests with unintended parameters will no longer create files.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Given the following service:
A client can send a multipart request that contains more than one file, even if
/upload
expects the request to contains one single file in thefile
field. Regardless of whether the received multipart request contains thefile
field or not, FileAggregatedMultipart.aggregateMultipart() will decode and store all file fields into the upload location (filesystem). It means, a client can incur unnecessary disk writes by sending the multipart requests like the following:file
andfile2
. (not an error but unnecessary disk write forfile2
)foo
. (an error with completely unnecessary disk write)We could:
We might reject the requests with unnecessary fields only for a certain type of requests such as multipart file uploads, though, because sending an unnecessary fields are often harmless.
Alternatively, we might want to silently discard the body part of unnecessary fields, given that we limit the total content length anyway.
The text was updated successfully, but these errors were encountered: