Comments (5)
we're doing this for security reasons, setting a large allowed max body size for the entire server opens the API/application up to Denial of Service attacks where people push a lot of data to the endpoints which needs to be parsed/processed.
For the upload endpoint, this is deliberately set to a higher value to allow larger uploads for UX reasons. The value passed to the application must be the same from the server, since this is displayed as a help text to form designers (they can also specify maximum attachment file size limits on the file field, but can get confused if they specify a value higher than configured on the server).
iirc the application and nginx use slightly different syntaxes to express file size (20M vs 20mb or something like that?), which made re-using the same variable not as straight forward, but I may be confusing this with Open Zaak.
from charts.
we're doing this for security reasons, setting a large allowed max body size for the entire server opens the API/application up to Denial of Service attacks where people push a lot of data to the endpoints which needs to be parsed/processed.
For the upload endpoint, this is deliberately set to a higher value to allow larger uploads for UX reasons. The value passed to the application must be the same from the server, since this is displayed as a help text to form designers (they can also specify maximum attachment file size limits on the file field, but can get confused if they specify a value higher than configured on the server).
iirc the application and nginx use slightly different syntaxes to express file size (20M vs 20mb or something like that?), which made re-using the same variable not as straight forward, but I may be confusing this with Open Zaak.
Thank you for clarifying this.
The opt in was not an option anyway I realized later, since nginx will default to its 1M.
Some organization would prefer to handle it by there ingress / load balancers, but they can set it to 0M in the values (Setting size to 0 disables checking of client request body size.).
The syntax is the same (much appreciated) and settings.Maxfileupload: 50M
is already used for both the ENV var MAX_FILE_UPLOAD_SIZE
for the application and for the nginx endpoint:
location = /api/v1/formio/fileupload {
client_max_body_size {{ .Values.settings.maxFileUpload }};
include conf.d/proxy;
Correct me if i'm wrong, with the current defaults:
nginx.config.clientMaxBodySize: 10M
settings.maxFileUpload: 50M
Users are still able to upload files to a max of 50M?
from charts.
yes, that should be the case. However, that v1
end the endpoint is catching my attention - we're on v2 of the API so maybe that's causing issues? Do you also have a /api/v2/formio/fileupload
rule?
from charts.
I do not.
I will however then replace the v1
endpoint and release a new chart version.
Latest chart version is:
type: application
version: 1.2.1
appVersion: 2.0.5
So technically this is correct, since 2.0.5 is still using the v1
endpoint.
from charts.
I don't remember the specifics - there was some deprecation going on in there, but since OF v2.x the API endpoints major version was changed too from v1
-> v2
. Major version of the application and API stay in sync, see also: https://open-forms.readthedocs.io/en/stable/developers/versioning.html
To be 100% safe, I'd just list them both (or use a regex to target /api/v(1|2)/formio/fileupload
)
from charts.
Related Issues (14)
- Helm charts voor Objects en Objecttypes API HOT 2
- Remove unnecessary variables from the helper files
- Add helm lint to github actions
- openforms: opt in rate limit /discovery endpoint
- Seperate flower vars from openforms vars
- openzaaktypebeheer 404 /login not found HOT 1
- openzaaktypebeheer configmap env vars
- Add GCP load balancer support for openinwoner HOT 1
- Add all helm features for better testing HOT 1
- Openinwoner has no support for configuring mediaMountSubpath and privateMediaMountSubpath HOT 1
- Add global configuration.enabled value HOT 1
- Support setting DISABLE_2FA in helm chart
- Setting the probes to empty dicts breaks the indentation HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from charts.