feat: add max upload file size validation (#18113)

* feat: add max upload file size validation (cherry picked from commit eae9847)
dhis2 · Oct 26, 2024 · 9eae535 · 9eae535
1 parent ed0217f
commit 9eae535
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 3 deletions.
diff --git a/...ort/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/ConfigurationKey.java b/...ort/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/ConfigurationKey.java
@@ -659,7 +659,9 @@ public enum ConfigurationKey {
   LINKED_ACCOUNTS_RELOGIN_URL("linked_accounts.relogin_url", "", false),
   SWITCH_USER_FEATURE_ENABLED("switch_user_feature.enabled", Constants.OFF, false),
   SWITCH_USER_ALLOW_LISTED_IPS(
-      "switch_user_allow_listed_ips", "localhost,127.0.0.1,[0:0:0:0:0:0:0:1]", false);
+      "switch_user_allow_listed_ips", "localhost,127.0.0.1,[0:0:0:0:0:0:0:1]", false),
+
+  MAX_FILE_UPLOAD_SIZE_BYTES("max.file_upload_size", Integer.toString(10_000_000), false);
 
   private final String key;
 

diff --git a/...est-web-api/src/test/java/org/hisp/dhis/webapi/controller/FileResourceControllerTest.java b/...est-web-api/src/test/java/org/hisp/dhis/webapi/controller/FileResourceControllerTest.java
@@ -44,6 +44,18 @@
 
 class FileResourceControllerTest extends DhisControllerConvenienceTest {
 
+  @Test
+  void testSaveTooBigFileSize() {
+    byte[] bytes = new byte[10_000_001];
+    MockMultipartFile image =
+        new MockMultipartFile("file", "OU_profile_image.png", "image/png", bytes);
+    HttpResponse response = POST_MULTIPART("/fileResources?domain=USER_AVATAR", image);
+    JsonString errorMessage = response.content(HttpStatus.CONFLICT).getString("message");
+    assertEquals(
+        "File size can't be bigger than 10000000, current file size 10000001",
+        errorMessage.string());
+  }
+
   @Test
   void testSaveBadAvatarImageData() {
     MockMultipartFile image =

diff --git a/...-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/FileResourceController.java b/...-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/FileResourceController.java
@@ -171,8 +171,11 @@ public WebMessage saveFileResource(
       @RequestParam(defaultValue = "DATA_VALUE") FileResourceDomain domain,
       @RequestParam(required = false) String uid)
       throws IOException, ConflictException {
-    FileResource fileResource;
 
+    FileResourceUtils.validateFileSize(
+        file, Long.parseLong(dhisConfig.getProperty(ConfigurationKey.MAX_FILE_UPLOAD_SIZE_BYTES)));
+
+    FileResource fileResource;
     if (domain.equals(FileResourceDomain.ICON)) {
       validateCustomIconFile(file);
       fileResource = fileResourceUtils.saveFileResource(uid, resizeIconToDefaultSize(file), domain);

diff --git a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/utils/FileResourceUtils.java b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/utils/FileResourceUtils.java
@@ -288,7 +288,7 @@ private static void validateFileExtension(String fileName, List<String> validExt
     }
   }
 
-  private static void validateFileSize(@Nonnull MultipartFile file, long maxFileSizeInBytes) {
+  public static void validateFileSize(@Nonnull MultipartFile file, long maxFileSizeInBytes) {
     if (file.getSize() > maxFileSizeInBytes) {
       throw new IllegalQueryException(
           String.format(