Merge pull request #332 from HEPData/check-uploadmaxsize

Check file size less than UPLOAD_MAX_SIZE
HEPData · Apr 21, 2021 · 52daa3b · 52daa3b
2 parents d03c1c0 + e9cfbf1
commit 52daa3b
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 1 deletion.
diff --git a/hepdata/config.py b/hepdata/config.py
@@ -155,6 +155,7 @@ def _(x):
 SEARCH_AUTOINDEX = []
 
 UPLOAD_MAX_SIZE = 52000000  # Upload limit in bytes
+MAX_CONTENT_LENGTH = UPLOAD_MAX_SIZE  # Flask: don’t read more than this many bytes from the incoming request data
 CONVERT_MAX_SIZE = sys.maxsize  # Limit on payload sent to converter (checked at submission)
 CLIENT_TIMEOUT = 298  # Client-side timeout in s (should be slightly smaller than server timeout)
 

diff --git a/hepdata/modules/records/api.py b/hepdata/modules/records/api.py
@@ -370,6 +370,13 @@ def process_payload(recid, file, redirect_url, synchronous=False):
 
     if file and (allowed_file(file.filename)):
         file_path = save_zip_file(file, recid)
+        file_size = os.path.getsize(file_path)
+        UPLOAD_MAX_SIZE = current_app.config.get('UPLOAD_MAX_SIZE', 52000000)
+        if file_size > UPLOAD_MAX_SIZE:
+            return jsonify({"message":
+                "{} too large ({} bytes > {} bytes)".format(
+                    file.filename, file_size, UPLOAD_MAX_SIZE)}), 413
+
         hepsubmission = get_latest_hepsubmission(publication_recid=recid)
 
         if hepsubmission.overall_status == 'finished':

diff --git a/hepdata/version.py b/hepdata/version.py
@@ -28,4 +28,4 @@
 and parsed by ``setup.py``.
 """
 
-__version__ = "0.9.4dev20210309"
+__version__ = "0.9.4dev20210420"
diff --git a/tests/records_test.py b/tests/records_test.py
@@ -355,6 +355,27 @@ def test_upload_invalid_file(app):
         })
 
 
+def test_upload_max_size(app):
+    # Test uploading a file with size greater than UPLOAD_MAX_SIZE
+    app.config.update({'UPLOAD_MAX_SIZE': 1000000})
+    with app.app_context():
+        user = User.query.first()
+        login_user(user)
+
+        recid = '12345'
+        get_or_create_hepsubmission(recid, 1)
+
+        base_dir = os.path.dirname(os.path.realpath(__file__))
+        with open(os.path.join(base_dir, 'test_data/TestHEPSubmission.zip'), "rb") as stream:
+            test_file = FileStorage(stream=stream, filename="TestHEPSubmission.zip")
+            response, code = process_payload(recid, test_file, '/test_redirect_url', synchronous=True)
+
+        assert(code == 413)
+        assert(response.json == {
+            'message': 'TestHEPSubmission.zip too large (1818265 bytes > 1000000 bytes)'
+        })
+
+
 def test_has_upload_permissions(app):
     # Test that a logged-in user cannot upload a file to a record for which
     # they're not an uploader