[WW-5388] Uses the latest JakartaEE FileUpload Servlet 6 package #861
Conversation
Also refactors the Jakarta based parsers as they have a lot in common
core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java
Outdated
Show resolved
Hide resolved
lukaszlenart
force-pushed
the
feature/WW-5388-upload-servlet6
branch
4 times, most recently
from
ad2f820 to
1f9e0cd
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| LOG.debug("No file has been uploaded for the field: {}", sanitizeNewlines(item.getFieldName())); | ||
| return; | ||
| } | ||
| LOG.debug("Using charset: {} or default: {}", charset, defaultEncoding); |
Check notice
Code scanning / SonarCloud
Logging should not be vulnerable to injection attacks
| // if the requestSizePermitted check failed based on the | ||
| // complete content-size of the request. | ||
| else { | ||
| LOG.debug("Using charset: {} or default: {}", charset, defaultEncoding); |
Check notice
Code scanning / SonarCloud
Logging should not be vulnerable to injection attacks
lukaszlenart
force-pushed
the
feature/WW-5388-upload-servlet6
branch
2 times, most recently
from
4601311 to
0eead10
Compare
lukaszlenart
force-pushed
the
feature/WW-5388-upload-servlet6
branch
from
0eead10 to
3294ed0
Compare
lukaszlenart
requested review from
sepe81,
rgielen,
aleksandr-m,
yasserzamani,
sdutry and
kusalk
and removed request for
sepe81
|
/cc: @burtonrhodes |
|
/cc: @deki |
|
@lukaszlenart Looks good. The current version of this PR works well in my initial testing (dev) environment. |
| errorMessage = buildErrorMessage(e, new Object[]{ | ||
| ex.getContentType() | ||
| }); | ||
| for (DiskFileItem item : servletFileUpload.parseRequest(request)) { |
There was a problem hiding this comment.
@lukaszlenart Quick thought on the maxFiles setting: I still think it makes more sense that maxFiles would apply to only file fields and not all form fields in the request. However it appears that this logic is actually baked into the JakartaServletFileUpload class itself when calling servletFileUpload.parseRequest(). Wonder why they coded it this way??
Anyway, if we ever wanted to change this, you could set the maxFiles to unlimited in the servletFileUpload object, and then perform the files count check in the if (item.isFormField()... logic below. Just a thought.
There was a problem hiding this comment.
In thinking about it more, that might be a security issue, as the serletFileUpload object would upload everything first (something that the setting is trying to prevent), only to perform the check after the processing is done. However, the maxSize / maxFileSize might offset that security risk??
There was a problem hiding this comment.
I assume so, this can be changed with a proper implementation of Streaming API which can then calculate the max size of uploaded files internally in Struts ... hm or maybe even right now, let me think this through 🤔
There was a problem hiding this comment.
@burtonrhodes introduced a new constant maxSizeOfFiles which controls how many files you can upload based on their size - this works with JakartaStreamMultiPartRequest only.
There was a problem hiding this comment.
Yeah this is by design (see this comment), none of the other options mitigate against this as the risk is processing a very large amount of request parts, not necessarily large ones. Though we can probably raise our default limit from 256 to 1000 (used in latest Tomcat).
lukaszlenart
force-pushed
the
feature/WW-5388-upload-servlet6
branch
from
9c4c860 to
51bf8de
Compare
lukaszlenart
force-pushed
the
feature/WW-5388-upload-servlet6
branch
6 times, most recently
from
9f2e912 to
2155d17
Compare
| @@ -27,14 +27,14 @@ | |||
| * The {@link org.apache.struts2.interceptor.ActionFileUploadInterceptor} will use the interface | |||
| * to notify action about the multiple uploaded files. | |||
| */ | |||
| public interface UploadedFilesAware { | |||
| public interface UploadedFilesAware<T> { | |||
There was a problem hiding this comment.
Not sure I understand the benefit of this generic type given this interface is coupled with the ActionFileUploadInterceptor. In what situation would an action implement UploadedFilesAware<NotFile>?
There was a problem hiding this comment.
This is a preparation to support InputStream and allow to stream files directly into actions, yet I need to thinks this through as this change became huge :\
There was a problem hiding this comment.
Oh okay - yeah I just don't know if it makes sense for a marker interface to have a generic type - might just need 2 marker interfaces instead
| @@ -142,18 +142,25 @@ public final class StrutsConstants { | |||
| /** The maximum size of a multipart request (file upload) */ | |||
| public static final String STRUTS_MULTIPART_MAXSIZE = "struts.multipart.maxSize"; | |||
|
|
|||
| /** The maximum size of all uploaded files. | |||
| Used only with {@link org.apache.struts2.dispatcher.multipart.JakartaStreamMultiPartRequest} */ | |||
| public static final String STRUTS_MULTIPART_MAXSIZE_OF_FILES = "struts.multipart.maxSizeOfFiles"; | |||
There was a problem hiding this comment.
Still not very consistent - shouldn't it be MAX_SIZE_OF_FILES?
There was a problem hiding this comment.
IDEA doesn't complain about MAXSIZE that's why I left it, but you are right :)
| errorMessage = buildErrorMessage(e, new Object[]{ | ||
| ex.getContentType() | ||
| }); | ||
| for (DiskFileItem item : servletFileUpload.parseRequest(request)) { |
There was a problem hiding this comment.
Yeah this is by design (see this comment), none of the other options mitigate against this as the risk is processing a very large amount of request parts, not necessarily large ones. Though we can probably raise our default limit from 256 to 1000 (used in latest Tomcat).
| LOG.warn("Failed to delete '{}' due to security exception above.", file.getName(), se); | ||
| } | ||
| } | ||
| Long currentFilesSize = actualSizeOfUploadedFiles(); |
There was a problem hiding this comment.
This seems expensive to compute from scratch every time a file field is encountered, especially when the application might not have even configured a maxSizeOfFiles limit!
There was a problem hiding this comment.
Tbh I'm not convinced this option adds much value in the first place - I think maxSize serves this need well enough. I'm trying to think in what situation would an application need to configure maxSizeOfFiles instead of or in addition to maxSize. They want to accepts lots of big form fields but want to limit the amount of data written to disk? I guess it's possible
There was a problem hiding this comment.
This seems expensive to compute from scratch every time a file field is encountered, especially when the application might not have even configured a
maxSizeOfFileslimit!
Fixed!
lukaszlenart
force-pushed
the
feature/WW-5388-upload-servlet6
branch
3 times, most recently
from
5ca2764 to
61ba63b
Compare
lukaszlenart
force-pushed
the
feature/WW-5388-upload-servlet6
branch
from
61ba63b to
e2215c8
Compare
| LOG.warn("Failed to delete '{}' due to security exception above.", file.getName(), se); | ||
| } | ||
| } | ||
| Long currentFilesSize = maxSizeOfFiles != null ? actualSizeOfUploadedFiles() : null; |
There was a problem hiding this comment.
You can just inline this right?
if (maxSizeOfFiles != null && actualSizeOfUploadedFiles() + file.length() >= maxSizeOfFiles) {
There was a problem hiding this comment.
Not really as it is used inside the if clause in exceedsMaxSizeOfFiles
|
Just FYI, I implemented this PR on a small subset of my server cluster and have been receiving the following ambiguous errors in some of the upload requests. I can't duplicate it in any testing environment, but curious if you might have a clue as to why Struts is creating an actionError with no value in the error, instead it prints "{0}". For this implementation, I am not using the stream parser Error printed by the code below Code that quickly checks for any file upload errors A redacted version of the action |
|
@kusalk sorry for that, I know it's a big change yet I wanted to fix all the issues I have discovered around Jakarta file upload at once. Also all the changes related to |
|
@burtonrhodes I tried to play with the Showcase app and right now there is a problem uploading large files - I get blank page, yet the app is using the new Action Upload Interceptor |
lukaszlenart
force-pushed
the
feature/WW-5388-upload-servlet6
branch
from
94cec3b to
18e8c94
Compare
lukaszlenart
force-pushed
the
feature/WW-5388-upload-servlet6
branch
from
18e8c94 to
d024ccd
Compare
|
|
@burtonrhodes did you have a chance to re-test the latest changes? Everything works fine when testing with the Showcase app yet it uses the new action upload interceptor, but still the same MultiPartParser is used behind the scene. I even added a dedicated integration test to cover max files constraint. |
|
@lukaszlenart yes, all looks good on my end. |
|
LGTM 💯 |
| */ | ||
| public String[] getParameterValues(String name) { | ||
| return parameters.getOrDefault(name, Collections.emptyList()) | ||
| .toArray(String[]::new); |
There was a problem hiding this comment.
This change broke query parameters in multipart requests. Their values are being lost. The old implementation returned null if the parameter didn't exist, but it now returns an empty array. MultiPartRequestWrapper::getParameterValues relies on the fact that it returns null, though, so it's not working correctly anymore.
This is the old implementation:
public String[] getParameterValues(String name) {
List<String> v = params.get(name);
if (v != null && !v.isEmpty()) {
return v.toArray(new String[0]);
}
return null;
}And this is the MultiPartRequestWrapper method that doesn't work correctly after the change:
public String[] getParameterValues(String name) {
return ((multi == null) || (multi.getParameterValues(name) == null)) ? super.getParameterValues(name) : multi.getParameterValues(name);
}
Closes WW-5388