fix: refactor multipart file config

Abega1642 · Abega1642 · commit a9f52c494df1 · 2025-12-21T11:42:59.000+03:00
diff --git a/src/main/java/com/example/arInfra/config/MultipartConfigurationInitializer.java b/src/main/java/com/example/arInfra/config/MultipartConfigurationInitializer.java
@@ -0,0 +1,36 @@
+package com.example.arInfra.config;
+
+import com.example.arInfra.InfraGenerated;
+import com.example.arInfra.validator.file.MultipartPropertiesValidator;
+import jakarta.annotation.PostConstruct;
+import lombok.RequiredArgsConstructor;
+import org.springframework.boot.autoconfigure.web.servlet.MultipartProperties;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * Initializes and validates multipart file upload configuration at application startup.
+ *
+ * <p>This configuration class ensures that multipart upload limits are validated before the
+ * application accepts any requests, providing fail-fast behavior for security misconfigurations.
+ */
+@Configuration
+@InfraGenerated
+@RequiredArgsConstructor
+public class MultipartConfigurationInitializer {
+
+  private final MultipartProperties multipartProperties;
+  private final MultipartPropertiesValidator multipartPropertiesValidator;
+
+  /**
+   * Validates multipart configuration at application startup.
+   *
+   * <p>If validation fails, the application will not start, ensuring that insecure configurations
+   * are caught immediately rather than at runtime.
+   *
+   * @throws SecurityException if multipart configuration is insecure or missing
+   */
+  @PostConstruct
+  public void validateMultipartConfiguration() {
+    multipartPropertiesValidator.validate(multipartProperties);
+  }
+}
diff --git a/src/main/java/com/example/arInfra/config/MultipartConfigurer.java b/src/main/java/com/example/arInfra/config/MultipartConfigurer.java
diff --git a/src/main/java/com/example/arInfra/validator/file/MultipartPropertiesValidator.java b/src/main/java/com/example/arInfra/validator/file/MultipartPropertiesValidator.java
@@ -0,0 +1,110 @@
+package com.example.arInfra.validator.file;
+
+import static java.lang.String.format;
+import static org.springframework.util.unit.DataSize.ofBytes;
+import static org.springframework.util.unit.DataSize.ofMegabytes;
+
+import com.example.arInfra.InfraGenerated;
+import com.example.arInfra.validator.Validator;
+import jakarta.validation.constraints.NotNull;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.boot.autoconfigure.web.servlet.MultipartProperties;
+import org.springframework.stereotype.Component;
+import org.springframework.util.unit.DataSize;
+import org.springframework.validation.annotation.Validated;
+
+/**
+ * Validator for multipart file upload configuration properties.
+ *
+ * <p>This validator ensures that file upload limits are explicitly configured and within acceptable
+ * security bounds, preventing DoS attacks through unrestricted file uploads.
+ *
+ * <p>Security compliance:
+ *
+ * <ul>
+ *   <li>OWASP - Top 10 2021 Category A5 - Security Misconfiguration
+ *   <li>CWE-770 - Allocation of Resources Without Limits or Throttling
+ *   <li>CWE-400 - Uncontrolled Resource Consumption
+ * </ul>
+ *
+ * <p>Validation rules:
+ *
+ * <ul>
+ *   <li>Max file size must be explicitly configured (not default/unlimited)
+ *   <li>Max request size must be explicitly configured
+ *   <li>Values must not exceed absolute maximum (100MB)
+ *   <li>Warns if values exceed OWASP recommendation (8MB)
+ * </ul>
+ */
+@Slf4j
+@Component
+@Validated
+@InfraGenerated
+public class MultipartPropertiesValidator implements Validator<MultipartProperties> {
+
+  private static final DataSize RECOMMENDED_MAX_SIZE = ofMegabytes(8);
+  private static final DataSize ABSOLUTE_MAX_SIZE = ofMegabytes(100);
+  private static final DataSize ZERO = ofBytes(0);
+
+  @Override
+  public void validate(@NotNull MultipartProperties properties) {
+    validateMaxFileSize(properties.getMaxFileSize());
+    validateMaxRequestSize(properties.getMaxRequestSize());
+
+    log.info(
+        "Multipart configuration validated - maxFileSize: {}, maxRequestSize: {}",
+        properties.getMaxFileSize(),
+        properties.getMaxRequestSize());
+  }
+
+  @Override
+  public Class<MultipartProperties> getValidatedType() {
+    return MultipartProperties.class;
+  }
+
+  private void validateMaxFileSize(DataSize maxFileSize) {
+    if (maxFileSize == null || maxFileSize.compareTo(ZERO) <= 0)
+      throw new SecurityException(
+          format(
+              "%s %s",
+              "Multipart max-file-size must be explicitly configured for security.",
+              "Set spring.servlet.multipart.max-file-size in application.yml"));
+
+    if (maxFileSize.compareTo(ABSOLUTE_MAX_SIZE) > 0)
+      throw new SecurityException(
+          format(
+              "Multipart max-file-size (%s) exceeds absolute maximum (%s). "
+                  + "This poses a serious DoS risk.",
+              maxFileSize, ABSOLUTE_MAX_SIZE));
+
+    if (maxFileSize.compareTo(RECOMMENDED_MAX_SIZE) > 0)
+      log.warn(
+          "Multipart max-file-size ({}) exceeds OWASP recommendation of {}. "
+              + "Ensure this is required for your use case.",
+          maxFileSize,
+          RECOMMENDED_MAX_SIZE);
+  }
+
+  private void validateMaxRequestSize(DataSize maxRequestSize) {
+    if (maxRequestSize == null || maxRequestSize.compareTo(ZERO) <= 0)
+      throw new SecurityException(
+          format(
+              "%s %s",
+              "Multipart max-request-size must be explicitly configured for security.",
+              "Set spring.servlet.multipart.max-request-size in application.yml"));
+
+    if (maxRequestSize.compareTo(ABSOLUTE_MAX_SIZE) > 0)
+      throw new SecurityException(
+          format(
+              "Multipart max-request-size (%s) exceeds absolute maximum (%s). "
+                  + "This poses a serious DoS risk.",
+              maxRequestSize, ABSOLUTE_MAX_SIZE));
+
+    if (maxRequestSize.compareTo(RECOMMENDED_MAX_SIZE) > 0)
+      log.warn(
+          "Multipart max-request-size ({}) exceeds OWASP recommendation of {}. "
+              + "Ensure this is required for your use case.",
+          maxRequestSize,
+          RECOMMENDED_MAX_SIZE);
+  }
+}
diff --git a/src/test/java/com/example/arInfra/validator/file/MultipartPropertiesValidatorTest.java b/src/test/java/com/example/arInfra/validator/file/MultipartPropertiesValidatorTest.java
@@ -0,0 +1,158 @@
+package com.example.arInfra.validator.file;
+
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.springframework.util.unit.DataSize.ofBytes;
+import static org.springframework.util.unit.DataSize.ofMegabytes;
+
+import com.example.arInfra.InfraGenerated;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.autoconfigure.web.servlet.MultipartProperties;
+
+@InfraGenerated
+class MultipartPropertiesValidatorTest {
+
+  private MultipartPropertiesValidator subject;
+
+  @BeforeEach
+  void setUp() {
+    subject = new MultipartPropertiesValidator();
+  }
+
+  @Test
+  void validate_with_valid_configuration_should_succeed() {
+    MultipartProperties properties = new MultipartProperties();
+    properties.setMaxFileSize(ofMegabytes(8));
+    properties.setMaxRequestSize(ofMegabytes(8));
+
+    assertDoesNotThrow(() -> subject.validate(properties));
+  }
+
+  @Test
+  void validate_with_5mb_limit_should_succeed() {
+    MultipartProperties properties = new MultipartProperties();
+    properties.setMaxFileSize(ofMegabytes(5));
+    properties.setMaxRequestSize(ofMegabytes(5));
+
+    assertDoesNotThrow(() -> subject.validate(properties));
+  }
+
+  @Test
+  void validate_with_10mb_limit_should_succeed_with_warning() {
+    MultipartProperties properties = new MultipartProperties();
+    properties.setMaxFileSize(ofMegabytes(10));
+    properties.setMaxRequestSize(ofMegabytes(10));
+
+    assertDoesNotThrow(() -> subject.validate(properties));
+  }
+
+  @Test
+  void validate_with_null_max_file_size_should_throw_exception() {
+    MultipartProperties properties = new MultipartProperties();
+    properties.setMaxFileSize(null);
+    properties.setMaxRequestSize(ofMegabytes(8));
+
+    SecurityException exception =
+        assertThrows(SecurityException.class, () -> subject.validate(properties));
+
+    assertTrue(exception.getMessage().contains("max-file-size"));
+    assertTrue(exception.getMessage().contains("explicitly configured"));
+  }
+
+  @Test
+  void validate_with_zero_max_file_size_should_throw_exception() {
+    MultipartProperties properties = new MultipartProperties();
+    properties.setMaxFileSize(ofBytes(0));
+    properties.setMaxRequestSize(ofMegabytes(8));
+
+    SecurityException exception =
+        assertThrows(SecurityException.class, () -> subject.validate(properties));
+
+    assertTrue(exception.getMessage().contains("max-file-size"));
+  }
+
+  @Test
+  void validate_with_negative_max_file_size_should_throw_exception() {
+    MultipartProperties properties = new MultipartProperties();
+    properties.setMaxFileSize(ofBytes(-1));
+    properties.setMaxRequestSize(ofMegabytes(8));
+
+    SecurityException exception =
+        assertThrows(SecurityException.class, () -> subject.validate(properties));
+
+    assertTrue(exception.getMessage().contains("max-file-size"));
+  }
+
+  @Test
+  void validate_with_null_max_request_size_should_throw_exception() {
+    MultipartProperties properties = new MultipartProperties();
+    properties.setMaxFileSize(ofMegabytes(8));
+    properties.setMaxRequestSize(null);
+
+    SecurityException exception =
+        assertThrows(SecurityException.class, () -> subject.validate(properties));
+
+    assertTrue(exception.getMessage().contains("max-request-size"));
+    assertTrue(exception.getMessage().contains("explicitly configured"));
+  }
+
+  @Test
+  void validate_with_excessive_max_file_size_should_throw_exception() {
+    MultipartProperties properties = new MultipartProperties();
+    properties.setMaxFileSize(ofMegabytes(150));
+    properties.setMaxRequestSize(ofMegabytes(8));
+
+    SecurityException exception =
+        assertThrows(SecurityException.class, () -> subject.validate(properties));
+
+    assertTrue(exception.getMessage().contains("exceeds absolute maximum"));
+    assertTrue(exception.getMessage().contains("DoS risk"));
+  }
+
+  @Test
+  void validate_with_excessive_max_request_size_should_throw_exception() {
+    MultipartProperties properties = new MultipartProperties();
+    properties.setMaxFileSize(ofMegabytes(8));
+    properties.setMaxRequestSize(ofMegabytes(150));
+
+    SecurityException exception =
+        assertThrows(SecurityException.class, () -> subject.validate(properties));
+
+    assertTrue(exception.getMessage().contains("exceeds absolute maximum"));
+    assertTrue(exception.getMessage().contains("DoS risk"));
+  }
+
+  @Test
+  void validate_with_exactly_100mb_limit_should_succeed() {
+    MultipartProperties properties = new MultipartProperties();
+    properties.setMaxFileSize(ofMegabytes(100));
+    properties.setMaxRequestSize(ofMegabytes(100));
+
+    assertDoesNotThrow(() -> subject.validate(properties));
+  }
+
+  @Test
+  void validate_with_101mb_limit_should_throw_exception() {
+    MultipartProperties properties = new MultipartProperties();
+    properties.setMaxFileSize(ofMegabytes(101));
+    properties.setMaxRequestSize(ofMegabytes(8));
+
+    SecurityException exception =
+        assertThrows(SecurityException.class, () -> subject.validate(properties));
+
+    assertTrue(exception.getMessage().contains("exceeds absolute maximum"));
+  }
+
+  @Test
+  void get_validated_type_should_return_multipart_properties_class() {
+    assertEquals(MultipartProperties.class, subject.getValidatedType());
+  }
+
+  @Test
+  void validate_with_null_properties_should_throw_exception() {
+    assertThrows(NullPointerException.class, () -> subject.validate(null));
+  }
+}
