Fix to reject any unintended parameters in multipart request.

core/src/main/java/com/linecorp/armeria/internal/server/FileAggregatedMultipart.java

@@ -21,6 +21,8 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
+import java.util.Collections;
+import java.util.List;
 import java.util.Map.Entry;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutorService;
@@ -58,13 +60,20 @@ public ListMultimap<String, MultipartFile> files() {
 
     public static CompletableFuture<FileAggregatedMultipart> aggregateMultipart(ServiceRequestContext ctx,
                                                                                 HttpRequest req) {
+        return aggregateMultipart(ctx, req, Collections.emptyList());
+    }
+
+    public static CompletableFuture<FileAggregatedMultipart> aggregateMultipart(
+            ServiceRequestContext ctx, HttpRequest req, List<String> parameters) {
         final Path destination = ctx.config().multipartUploadsLocation();
         return Multipart.from(req).collect(bodyPart -> {
             final String name = bodyPart.name();
             assert name != null;
+            if (!parameters.isEmpty() && !parameters.contains(name)) {
+                throw new IllegalArgumentException("Unexpected parameter received: " + name);
+            }
             final String filename = bodyPart.filename();
             final EventLoop eventLoop = ctx.eventLoop();
-
             if (filename != null) {
                 final Path incompleteDir = destination.resolve("incomplete");
                 final ScheduledExecutorService executor = ctx.blockingTaskExecutor().withoutContext();

core/src/main/java/com/linecorp/armeria/internal/server/annotation/DefaultAnnotatedService.java

@@ -32,6 +32,7 @@
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.function.Function;
+import java.util.stream.Collectors;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -108,6 +109,7 @@ final class DefaultAnnotatedService implements AnnotatedService {
 
     private final ResponseType responseType;
     private final boolean useBlockingTaskExecutor;
+    private final List<String> parameters;
     @Nullable
     private final String name;
 
@@ -130,6 +132,9 @@ final class DefaultAnnotatedService implements AnnotatedService {
                       method.getDeclaringClass().getSimpleName(), method.getName());
         isKotlinSuspendingMethod = KotlinUtil.isSuspendingFunction(method);
         this.resolvers = requireNonNull(resolvers, "resolvers");
+        parameters = resolvers.stream()
+                              .map(AnnotatedValueResolver::httpElementName)
+                              .collect(Collectors.toList());
 
         requireNonNull(exceptionHandlers, "exceptionHandlers");
         if (exceptionHandlers.isEmpty()) {
@@ -318,7 +323,8 @@ private CompletionStage<HttpResponse> serve1(ServiceRequestContext ctx, HttpRequ
         final CompletableFuture<AggregatedResult> f;
         switch (aggregationType) {
             case MULTIPART:
-                f = FileAggregatedMultipart.aggregateMultipart(ctx, req).thenApply(AggregatedResult::new);
+                f = FileAggregatedMultipart.aggregateMultipart(ctx, req, parameters)
+                                           .thenApply(AggregatedResult::new);
                 break;
             case ALL:
                 f = req.aggregate().thenApply(AggregatedResult::new);

core/src/test/java/com/linecorp/armeria/internal/server/annotation/AnnotatedServiceMultipartTest.java

@@ -19,6 +19,7 @@
 import static com.google.common.collect.ImmutableMap.toImmutableMap;
 import static net.javacrumbs.jsonunit.fluent.JsonFluentAssert.assertThatJson;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 import java.io.File;
 import java.io.IOException;
@@ -89,6 +90,25 @@ void testUploadFile(String path) throws Exception {
                            "\"param1\":\"armeria\"}");
     }
 
+    @ParameterizedTest
+    @ValueSource(strings = "/uploadWithFileParam")
+    void testUploadFileWithUnexpectedParameters(String path) throws Exception {
+        final Multipart multipart = Multipart.of(
+                BodyPart.of(ContentDisposition.of("form-data", "file1", "foo.txt"), "foo"),
+                BodyPart.of(ContentDisposition.of("form-data", "path1", "bar.txt"), "bar"),
+                BodyPart.of(ContentDisposition.of("form-data", "multipartFile1", "qux.txt"), "qux"),
+                BodyPart.of(ContentDisposition.of("form-data", "multipartFile2", "quz.txt"),
+                            MediaType.PLAIN_TEXT, "quz"),
+                // Unexpected parameter: multipartFile3
+                BodyPart.of(ContentDisposition.of("form-data", "multipartFile3", "qux.txt"), "qux"),
+                BodyPart.of(ContentDisposition.of("form-data", "param1"), "armeria")
+
+        );
+        final AggregatedHttpResponse response =
+                server.blockingWebClient().execute(multipart.toHttpRequest(path));
+        assertEquals(HttpStatus.BAD_REQUEST, response.status());
+    }
+
     @Test
     void emptyBodyPart() {
         final Multipart multipart = Multipart.of();