logo

Database

Java Excessive Max Upload Size

Description

Identifies Java applications that fail to set maximum file upload size limits when using multipart file upload capabilities. Without proper size restrictions, attackers could perform denial of service attacks by uploading extremely large files that consume server resources.

Weakness:

354 - Insecure file upload - Files Limit

Category: Access Subversion

Detection Strategy

    Identifies usage of CommonsMultipartResolver or MultipartConfigFactory classes in Java code

    Checks if these file upload handlers are instantiated without setting a maximum file size limit

    Reports a vulnerability when file upload components lack size restrictions in their configuration

Vulnerable code example

import org.springframework.web.multipart.commons.CommonsMultipartResolver;
import org.springframework.context.annotation.Bean;

public class FileUploadConfig {
    @Bean(name = "multipartResolver") 
    public CommonsMultipartResolver multipartResolver() {
        CommonsMultipartResolver resolver = new CommonsMultipartResolver(); // Vulnerable: No maximum upload size limit specified
        return resolver;...

✅ Secure code example

import org.springframework.web.multipart.commons.CommonsMultipartResolver;
import org.springframework.context.annotation.Bean;

public class FileUploadConfig {
    @Bean(name = "multipartResolver") 
    public CommonsMultipartResolver multipartResolver() {
        CommonsMultipartResolver resolver = new CommonsMultipartResolver();
        resolver.setMaxUploadSize(5 * 1024 * 1024); // Set 5MB max file size limit to prevent DoS...