From eb6aaad57ab65b67c90e6e987b14325c20a4ed5e Mon Sep 17 00:00:00 2001 From: Thomas Rittson <31796059+eliykat@users.noreply.github.com> Date: Wed, 11 Aug 2021 08:14:28 +1000 Subject: [PATCH] Use RequestSizeLimit for all file upload endpoints (#1507) * Enforce upload size limits via RequestSizeLimit instead of if statements * 101mb limit for legacy uploads, 501mb limit for all other * Only allow v2 local storage for self-hosted instances --- src/Api/Controllers/CiphersController.cs | 15 ++++----------- src/Api/Controllers/SendsController.cs | 12 ++---------- 2 files changed, 6 insertions(+), 21 deletions(-) diff --git a/src/Api/Controllers/CiphersController.cs b/src/Api/Controllers/CiphersController.cs index 5dbf10dee6..6265121ce5 100644 --- a/src/Api/Controllers/CiphersController.cs +++ b/src/Api/Controllers/CiphersController.cs @@ -8,6 +8,7 @@ using Bit.Core.Models.Api; using Bit.Core.Exceptions; using Bit.Core.Services; using Bit.Core.Context; +using Bit.Core.Utilities; using Bit.Api.Utilities; using System.Collections.Generic; using Bit.Core.Models.Table; @@ -594,7 +595,7 @@ namespace Bit.Api.Controllers throw new NotFoundException(); } - if (request.FileSize > CipherService.MAX_FILE_SIZE && !_globalSettings.SelfHosted) + if (request.FileSize > CipherService.MAX_FILE_SIZE) { throw new BadRequestException($"Max file size is {CipherService.MAX_FILE_SIZE_READABLE}."); } @@ -632,6 +633,7 @@ namespace Bit.Api.Controllers } [HttpPost("{id}/attachment/{attachmentId}")] + [SelfHosted(SelfHostedOnly = true)] [RequestSizeLimit(Constants.FileSize501mb)] [DisableFormValueModelBinding] public async Task PostFileForExistingAttachment(string id, string attachmentId) @@ -641,11 +643,6 @@ namespace Bit.Api.Controllers throw new BadRequestException("Invalid content."); } - if (!_globalSettings.SelfHosted) - { - throw new BadRequestException("Invalid endpoint for non self-hosted servers."); - } - var userId = _userService.GetProperUserId(User).Value; var cipher = await _cipherRepository.GetByIdAsync(new Guid(id), userId); var attachments = cipher?.GetAttachments(); @@ -662,6 +659,7 @@ namespace Bit.Api.Controllers } [HttpPost("{id}/attachment")] + [Obsolete("Deprecated Attachments API", false)] [RequestSizeLimit(Constants.FileSize101mb)] [DisableFormValueModelBinding] public async Task PostAttachment(string id) @@ -814,11 +812,6 @@ namespace Bit.Api.Controllers { throw new BadRequestException("Invalid content."); } - - if (Request.ContentLength > Constants.FileSize101mb) - { - throw new BadRequestException("Max file size is 100 MB."); - } } } } diff --git a/src/Api/Controllers/SendsController.cs b/src/Api/Controllers/SendsController.cs index 87c5e40aa7..f8f1689215 100644 --- a/src/Api/Controllers/SendsController.cs +++ b/src/Api/Controllers/SendsController.cs @@ -167,6 +167,7 @@ namespace Bit.Api.Controllers } [HttpPost("file")] + [Obsolete("Deprecated File Send API", false)] [RequestSizeLimit(Constants.FileSize101mb)] [DisableFormValueModelBinding] public async Task PostFile() @@ -176,11 +177,6 @@ namespace Bit.Api.Controllers throw new BadRequestException("Invalid content."); } - if (Request.ContentLength > Constants.FileSize101mb) - { - throw new BadRequestException("Max file size is 100 MB."); - } - Send send = null; await Request.GetSendFileAsync(async (stream, fileName, model) => { @@ -250,6 +246,7 @@ namespace Bit.Api.Controllers } [HttpPost("{id}/file/{fileId}")] + [SelfHosted(SelfHostedOnly = true)] [RequestSizeLimit(Constants.FileSize501mb)] [DisableFormValueModelBinding] public async Task PostFileForExistingSend(string id, string fileId) @@ -259,11 +256,6 @@ namespace Bit.Api.Controllers throw new BadRequestException("Invalid content."); } - if (Request.ContentLength > Constants.FileSize101mb && !_globalSettings.SelfHosted) - { - throw new BadRequestException("Max file size for direct upload is 100 MB."); - } - var send = await _sendRepository.GetByIdAsync(new Guid(id)); await Request.GetFileAsync(async (stream) => {