@sun-asterisk/sunlint

{ "ruleId": "S028", "name": "Limit upload file size and number of files per user", "description": "File uploads must enforce size limits and file quantity limits to prevent resource exhaustion and DoS attacks. Both file size and number of files should be limited at the server-side.", "category": "security", "severity": "medium", "languages": ["typescript", "javascript", "java"], "tags": [ "security", "file-upload", "dos-prevention", "resource-limits", "owasp" ], "enabled": true, "fixable": false, "engine": "heuristic", "metadata": { "owaspCategory": "A04:2021 - Insecure Design", "cweId": "CWE-400", "description": "File uploads without proper size and quantity limits can lead to Denial of Service (DoS) attacks, resource exhaustion, and storage abuse. Attackers can upload extremely large files or numerous files to consume server resources.", "impact": "High - DoS attacks, storage exhaustion, service disruption", "likelihood": "Medium", "remediation": "Implement server-side file size limits (≤ 10MB recommended) and file quantity limits (≤ 10 files recommended) using framework-specific middleware or configuration" }, "limits": { "recommended": { "maxFileSize": "10MB", "maxFileSizeBytes": 10485760, "maxFiles": 10, "maxRequestSize": "20MB" }, "thresholds": { "highRisk": { "fileSize": 52428800, "files": 50, "description": "File size > 50MB or > 50 files - High risk" }, "mediumRisk": { "fileSize": 20971520, "files": 20, "description": "File size > 20MB or > 20 files - Medium risk" } } }, "patterns": { "nodejs": { "multer": { "required": ["limits.fileSize", "limits.files"], "violations": [ "Missing limits object", "Missing limits.fileSize", "Missing limits.files", "File size exceeds 10MB threshold", "File count exceeds 10 files threshold" ] }, "express": { "required": [ "express.json({ limit })", "express.urlencoded({ limit })" ], "violations": [ "Missing body size limit", "Body size limit exceeds 10MB" ] } }, "nestjs": { "fileInterceptor": { "required": ["limits.fileSize", "limits.files"], "violations": [ "FileInterceptor missing limits option", "File size exceeds 10MB threshold" ] } }, "java": { "spring": { "required": [ "spring.servlet.multipart.max-file-size", "spring.servlet.multipart.max-request-size" ], "violations": [ "Missing multipart configuration", "File size exceeds 10MB threshold" ] } } }, "validationIndicators": { "nodejs": [ "multer", "limits.fileSize", "limits.files", "express.json({ limit })", "express.urlencoded({ limit })" ], "nestjs": [ "FileInterceptor", "FilesInterceptor", "FileFieldsInterceptor", "limits" ], "java": [ "spring.servlet.multipart.max-file-size", "spring.servlet.multipart.max-request-size", "MultipartConfigElement" ] }, "examples": { "violations": [ { "code": "const upload = multer({ dest: 'uploads/' });", "issue": "Multer configuration missing size limits - vulnerable to DoS", "severity": "high" }, { "code": "const upload = multer({ limits: { fileSize: 100 * 1024 * 1024 } });", "issue": "File size limit too high (100MB) - recommend ≤ 10MB", "severity": "medium" }, { "code": "@UseInterceptors(FileInterceptor('file')) uploadFile(@UploadedFile() file) {}", "issue": "FileInterceptor missing size limits", "severity": "high" }, { "code": "app.use(express.json());", "issue": "Express middleware missing body size limit", "severity": "medium" } ], "fixes": [ { "code": "const upload = multer({ limits: { fileSize: 10 * 1024 * 1024, files: 5 } });", "description": "Add size and quantity limits to multer (10MB, 5 files)" }, { "code": "@UseInterceptors(FileInterceptor('file', { limits: { fileSize: 5 * 1024 * 1024 } })) uploadFile(@UploadedFile() file) {}", "description": "Add size limit to FileInterceptor (5MB)" }, { "code": "app.use(express.json({ limit: '10mb' })); app.use(express.urlencoded({ limit: '10mb', extended: true }));", "description": "Add body size limit to Express middleware (10MB)" }, { "code": "spring.servlet.multipart.max-file-size=10MB\nspring.servlet.multipart.max-request-size=20MB", "description": "Configure Spring Boot multipart limits" } ] }, "frameworkSupport": { "multer": { "patterns": ["multer(", "multer({"], "limitKeys": ["limits.fileSize", "limits.files", "limits"], "configPath": "First argument object" }, "fileInterceptor": { "patterns": [ "@UseInterceptors(FileInterceptor", "@UseInterceptors(FilesInterceptor", "@UseInterceptors(FileFieldsInterceptor" ], "limitKeys": ["limits.fileSize", "limits.files"], "configPath": "Second argument object" }, "express": { "patterns": ["express.json(", "express.urlencoded("], "limitKeys": ["limit"], "configPath": "First argument object" }, "spring": { "patterns": [ "spring.servlet.multipart.max-file-size", "spring.servlet.multipart.max-request-size" ], "configFiles": ["application.properties", "application.yml"] } }, "owaspMapping": { "category": "A04:2021 – Insecure Design", "subcategories": ["A05:2021 – Security Misconfiguration"], "description": "Validates that file upload endpoints have proper size and quantity limits to prevent resource exhaustion attacks" } }