Properly validate MAX_CONTENT_SIZE when publishing extensions (#1458)

netomi · web-flow · commit 4146fd8d2f99 · 2025-12-11T09:35:31.000+01:00
* Properly validate MAX_CONTENT_SIZE when publishing extensions

* make maxContentSize configurable
diff --git a/server/src/main/java/org/eclipse/openvsx/ExtensionService.java b/server/src/main/java/org/eclipse/openvsx/ExtensionService.java
@@ -9,9 +9,11 @@
  ********************************************************************************/
 package org.eclipse.openvsx;
 
+import com.google.common.io.ByteStreams;
 import jakarta.persistence.EntityManager;
 import jakarta.transaction.Transactional;
 import jakarta.transaction.Transactional.TxType;
+import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.eclipse.openvsx.admin.RemoveFileJobRequest;
 import org.eclipse.openvsx.cache.CacheService;
@@ -57,6 +59,9 @@ public class ExtensionService {
     @Value("${ovsx.publishing.require-license:false}")
     boolean requireLicense;
 
+    @Value("${ovsx.publishing.max-content-size:" + MAX_CONTENT_SIZE + "}")
+    int maxContentSize;
+
     public ExtensionService(
             EntityManager entityManager,
             RepositoryService repositories,
@@ -107,17 +112,19 @@ private void doPublish(TempFile extensionFile, String binaryName, PersonalAccess
     }
 
     private TempFile createExtensionFile(InputStream content) {
-        try (var input = new BufferedInputStream(content)) {
-            input.mark(0);
-            var skipped = input.skip(MAX_CONTENT_SIZE  + 1);
-            if (skipped > MAX_CONTENT_SIZE) {
-                throw new ErrorResultException("The extension package exceeds the size limit of 512 MB.", HttpStatus.PAYLOAD_TOO_LARGE);
-            }
-
+        try (var input = ByteStreams.limit(new BufferedInputStream(content), maxContentSize + 1)) {
+            long size;
             var extensionFile = new TempFile("extension_", ".vsix");
             try(var out = Files.newOutputStream(extensionFile.getPath())) {
-                input.reset();
-                input.transferTo(out);
+                size = input.transferTo(out);
+            }
+
+            if (size > maxContentSize) {
+                try {
+                    extensionFile.close();
+                } catch (IOException _) {}
+                var maxSize = FileUtils.byteCountToDisplaySize(maxContentSize);
+                throw new ErrorResultException("The extension package exceeds the size limit of " + maxSize + ".", HttpStatus.PAYLOAD_TOO_LARGE);
             }
 
             return extensionFile;
