nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-05 13:08:17 -05:00
Code

Use RequestSizeLimit for all file upload endpoints (#1507)

Browse Source 
* Enforce upload size limits via RequestSizeLimit instead of if statements
* 101mb limit for legacy uploads, 501mb limit for all other
* Only allow v2 local storage for self-hosted instances
This commit is contained in:
Thomas Rittson 2021-08-11 08:14:28 +10:00 committed by GitHub
parent f92628fb80
commit eb6aaad57a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/Api/Controllers/CiphersController.cs
View File

@ -8,6 +8,7 @@ using Bit.Core.Models.Api;
using Bit.Core.Exceptions;
using Bit.Core.Services;
using Bit.Core.Context;
using Bit.Core.Utilities;
using Bit.Api.Utilities;
using System.Collections.Generic;
using Bit.Core.Models.Table;
@ -594,7 +595,7 @@ namespace Bit.Api.Controllers
throw new NotFoundException();
}
if (request.FileSize > CipherService.MAX_FILE_SIZE && !_globalSettings.SelfHosted)
if (request.FileSize > CipherService.MAX_FILE_SIZE)
{
throw new BadRequestException($"Max file size is {CipherService.MAX_FILE_SIZE_READABLE}.");
}
@ -632,6 +633,7 @@ namespace Bit.Api.Controllers
}
[HttpPost("{id}/attachment/{attachmentId}")]
[SelfHosted(SelfHostedOnly = true)]
[RequestSizeLimit(Constants.FileSize501mb)]
[DisableFormValueModelBinding]
public async Task PostFileForExistingAttachment(string id, string attachmentId)
@ -641,11 +643,6 @@ namespace Bit.Api.Controllers
throw new BadRequestException("Invalid content.");
}
if (!_globalSettings.SelfHosted)
{
throw new BadRequestException("Invalid endpoint for non self-hosted servers.");
}
var userId = _userService.GetProperUserId(User).Value;
var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId);
var attachments = cipher?.GetAttachments();
@ -662,6 +659,7 @@ namespace Bit.Api.Controllers
}
[HttpPost("{id}/attachment")]
[Obsolete("Deprecated Attachments API", false)]
[RequestSizeLimit(Constants.FileSize101mb)]
[DisableFormValueModelBinding]
public async Task<CipherResponseModel> PostAttachment(string id)
@ -814,11 +812,6 @@ namespace Bit.Api.Controllers
{
throw new BadRequestException("Invalid content.");
}
if (Request.ContentLength > Constants.FileSize101mb)
{
throw new BadRequestException("Max file size is 100 MB.");
}
}
}
}

12
src/Api/Controllers/SendsController.cs
View File

@ -167,6 +167,7 @@ namespace Bit.Api.Controllers
}
[HttpPost("file")]
[Obsolete("Deprecated File Send API", false)]
[RequestSizeLimit(Constants.FileSize101mb)]
[DisableFormValueModelBinding]
public async Task<SendResponseModel> PostFile()
@ -176,11 +177,6 @@ namespace Bit.Api.Controllers
throw new BadRequestException("Invalid content.");
}
if (Request.ContentLength > Constants.FileSize101mb)
{
throw new BadRequestException("Max file size is 100 MB.");
}
Send send = null;
await Request.GetSendFileAsync(async (stream, fileName, model) =>
{
@ -250,6 +246,7 @@ namespace Bit.Api.Controllers
}
[HttpPost("{id}/file/{fileId}")]
[SelfHosted(SelfHostedOnly = true)]
[RequestSizeLimit(Constants.FileSize501mb)]
[DisableFormValueModelBinding]
public async Task PostFileForExistingSend(string id, string fileId)
@ -259,11 +256,6 @@ namespace Bit.Api.Controllers
throw new BadRequestException("Invalid content.");
}
if (Request.ContentLength > Constants.FileSize101mb && !_globalSettings.SelfHosted)
{
throw new BadRequestException("Max file size for direct upload is 100 MB.");
}
var send = await _sendRepository.GetByIdAsync(new Guid(id));
await Request.GetFileAsync(async (stream) =>
{