From 9eae535309dd8613cb6a38049cea8ed7c28b3300 Mon Sep 17 00:00:00 2001
From: netroms <msvanaes@dhis2.org>
Date: Fri, 19 Jul 2024 00:33:32 +0700
Subject: [PATCH] feat: add max upload file size validation (#18113)

* feat: add max upload file size validation

(cherry picked from commit eae98479b776e6edbbd3ff9a92c8a79109590521)
---
 .../hisp/dhis/external/conf/ConfigurationKey.java    |  4 +++-
 .../controller/FileResourceControllerTest.java       | 12 ++++++++++++
 .../webapi/controller/FileResourceController.java    |  5 ++++-
 .../hisp/dhis/webapi/utils/FileResourceUtils.java    |  2 +-
 4 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/ConfigurationKey.java b/dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/ConfigurationKey.java
index 74c296f5df30..43cdf6603a64 100644
--- a/dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/ConfigurationKey.java
+++ b/dhis-2/dhis-support/dhis-support-external/src/main/java/org/hisp/dhis/external/conf/ConfigurationKey.java
@@ -659,7 +659,9 @@ public enum ConfigurationKey {
   LINKED_ACCOUNTS_RELOGIN_URL("linked_accounts.relogin_url", "", false),
   SWITCH_USER_FEATURE_ENABLED("switch_user_feature.enabled", Constants.OFF, false),
   SWITCH_USER_ALLOW_LISTED_IPS(
-      "switch_user_allow_listed_ips", "localhost,127.0.0.1,[0:0:0:0:0:0:0:1]", false);
+      "switch_user_allow_listed_ips", "localhost,127.0.0.1,[0:0:0:0:0:0:0:1]", false),
+
+  MAX_FILE_UPLOAD_SIZE_BYTES("max.file_upload_size", Integer.toString(10_000_000), false);
 
   private final String key;
 
diff --git a/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/FileResourceControllerTest.java b/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/FileResourceControllerTest.java
index c61286e154c5..d2a7ee2d2fe9 100644
--- a/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/FileResourceControllerTest.java
+++ b/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/FileResourceControllerTest.java
@@ -44,6 +44,18 @@
 
 class FileResourceControllerTest extends DhisControllerConvenienceTest {
 
+  @Test
+  void testSaveTooBigFileSize() {
+    byte[] bytes = new byte[10_000_001];
+    MockMultipartFile image =
+        new MockMultipartFile("file", "OU_profile_image.png", "image/png", bytes);
+    HttpResponse response = POST_MULTIPART("/fileResources?domain=USER_AVATAR", image);
+    JsonString errorMessage = response.content(HttpStatus.CONFLICT).getString("message");
+    assertEquals(
+        "File size can't be bigger than 10000000, current file size 10000001",
+        errorMessage.string());
+  }
+
   @Test
   void testSaveBadAvatarImageData() {
     MockMultipartFile image =
diff --git a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/FileResourceController.java b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/FileResourceController.java
index 76357db12f8c..075a2ba899e6 100644
--- a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/FileResourceController.java
+++ b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/FileResourceController.java
@@ -171,8 +171,11 @@ public WebMessage saveFileResource(
       @RequestParam(defaultValue = "DATA_VALUE") FileResourceDomain domain,
       @RequestParam(required = false) String uid)
       throws IOException, ConflictException {
-    FileResource fileResource;
 
+    FileResourceUtils.validateFileSize(
+        file, Long.parseLong(dhisConfig.getProperty(ConfigurationKey.MAX_FILE_UPLOAD_SIZE_BYTES)));
+
+    FileResource fileResource;
     if (domain.equals(FileResourceDomain.ICON)) {
       validateCustomIconFile(file);
       fileResource = fileResourceUtils.saveFileResource(uid, resizeIconToDefaultSize(file), domain);
diff --git a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/utils/FileResourceUtils.java b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/utils/FileResourceUtils.java
index 48db99821d74..4d878b77c9d5 100644
--- a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/utils/FileResourceUtils.java
+++ b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/utils/FileResourceUtils.java
@@ -288,7 +288,7 @@ private static void validateFileExtension(String fileName, List<String> validExt
     }
   }
 
-  private static void validateFileSize(@Nonnull MultipartFile file, long maxFileSizeInBytes) {
+  public static void validateFileSize(@Nonnull MultipartFile file, long maxFileSizeInBytes) {
     if (file.getSize() > maxFileSizeInBytes) {
       throw new IllegalQueryException(
           String.format(