Skip to content

fix attachment file size limit in server backend #35519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

fix attachment file size limit in server backend #35519

wants to merge 21 commits into from
+114 −52

Conversation

a1012112796
Copy link
Member

fix #35512

@a1012112796
fix attachment file size limit in server backend
7342304 
fix go-gitea#35512

Signed-off-by: a1012112796 <1012112796@qq.com>
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Sep 22, 2025
@github-actions github-actions bot added modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code labels Sep 22, 2025
@techknowlogick
Copy link
Member

CI fail is related:


--- FAIL: TestCreateIssueAttachment (0.49s)
    testlogger.go:61: 2025/09/22 14:12:32 modules/storage/local.go:33:NewLocalStorage() [I] Creating new Local Storage at /home/runner/work/gitea/gitea/tests/gitea-lfs-meta
    testlogger.go:61: 2025/09/22 14:12:32 HTTPRequest [I] router: completed GET /user/login for test-mock:12345, 200 OK in 2.1ms @ auth/auth.go:184(auth.SignIn)
    testlogger.go:61: 2025/09/22 14:12:32 HTTPRequest [I] router: completed POST /user/login for test-mock:12345, 303 See Other in 5.8ms @ auth/auth.go:197(auth.SignInPost)
    testlogger.go:61: 2025/09/22 14:12:32 HTTPRequest [I] router: completed POST /user2/repo1/issues/attachments for test-mock:12345, 500 Internal Server Error in 85.8ms @ repo/attachment.go:25(repo.UploadIssueAttachment)
    attachment_test.go:47: Response:  NewAttachment: attachment size 2147483648 exceed limit 104
        
    attachment_test.go:47: 
        	Error Trace:	/home/runner/work/gitea/gitea/tests/integration/integration_test.go:354
        	            				/home/runner/work/gitea/gitea/tests/integration/integration_test.go:160
        	            				/home/runner/work/gitea/gitea/tests/integration/attachment_test.go:47
        	            				/home/runner/work/gitea/gitea/tests/integration/attachment_test.go:67
        	Error:      	Not equal: 
        	            	expected: 200
        	            	actual  : 500
        	Test:       	TestCreateIssueAttachment
        	Messages:   	Request: POST /user2/repo1/issues/attachments

Also, it's probably better to have a status 413 returned if the size is too large

@a1012112796
fix test and apply suggestions
08035a7 
Signed-off-by: a1012112796 <1012112796@qq.com>
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Sep 23, 2025
@lunny lunny added the type/bug label Sep 23, 2025
wxiaoguang
wxiaoguang reviewed Sep 23, 2025
View reviewed changes
routers/api/v1/repo/release_attachment.go Outdated

// Create a new attachment and save the file
attach, err := attachment_service.UploadAttachment(ctx, content, setting.Repository.Release.AllowedTypes, size, &repo_model.Attachment{
attach, err := attachment_service.UploadAttachment(ctx, content, setting.Repository.Release.AllowedTypes, setting.Attachment.MaxSize<<20, size, &repo_model.Attachment{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are at least 2 "attachment max size" config options.

If you always use setting.Attachment.MaxSize, at least one is wrong

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why? looks they are all same in curent design. hasn't found anything like setting.Repository.Release.MaxSize.

ref:

gitea/services/context/upload/upload.go

Lines 90 to 114 in 0b706b0

// AddUploadContext renders template values for dropzone
func AddUploadContext(ctx *context.Context, uploadType string) {
switch uploadType {
case "release":
ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/releases/attachments"
ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/releases/attachments/remove"
ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/releases/attachments"
ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Repository.Release.AllowedTypes, "|", ",")
ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles
ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize
case "comment":
ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/issues/attachments"
ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/issues/attachments/remove"
if len(ctx.PathParam("index")) > 0 {
ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/" + url.PathEscape(ctx.PathParam("index")) + "/attachments"
} else {
ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/attachments"
}
ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Attachment.AllowedTypes, "|", ",")
ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles
ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize
default:
setting.PanicInDevOrTesting("Invalid upload type: %s", uploadType)
}
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh you are right, release upload shares the same attachment max size with comment attachment, but doesn't share some other settings .....

It seems to be another (unrelated) legacy problem.

Copy link
Contributor

@wxiaoguang wxiaoguang Oct 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update: the problem I mentioned There are at least 2 "attachment max size" config options. is still there. See my latest comment for UploadFileToServer, there is no limit check either.

wxiaoguang
wxiaoguang reviewed Sep 23, 2025
View reviewed changes
wxiaoguang
wxiaoguang reviewed Sep 23, 2025
View reviewed changes
@lunny
Copy link
Member

lunny commented Oct 4, 2025

last call @go-gitea/technical-oversight-committee

6543
6543 reviewed Oct 6, 2025
View reviewed changes
@lunny @6543
Update services/attachment/attachment.go
f040898 
Co-authored-by: 6543 <6543@obermui.de>
Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
@lunny lunny added this to the 1.26.0 milestone Oct 6, 2025
6543
6543 reviewed Oct 6, 2025
View reviewed changes
@6543
Copy link
Member

6543 commented Oct 7, 2025

@a1012112796 -> a1012112796#13

@wxiaoguang
Copy link
Contributor

I try to write a prove of concept

@6543 any proof? If no, revert

@6543 any proof? If no, revert

@6543
Copy link
Member

6543 commented Oct 11, 2025

I'll revert it for now as i did not have time to write one jet to test stuff

@wxiaoguang
Copy link
Contributor

as i did not have time to write one jet to test stuff

Even if you have 100 years, there will be no proof. Golang HTTP packages's FormFile guarantees that the head.Size is the real uploaded size, you can spend a few minutes to read the code, no need to spend 100 years to try.

@6543
Copy link
Member

6543 commented Oct 11, 2025

well did not know/read that docu jet but I should ...
... anyway better save than sorry

@6543 6543 requested a review from wxiaoguang October 11, 2025 16:45
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Oct 11, 2025
edited
Loading

There are still problems:

  1. CreateReleaseAttachment: when the body is used as the upload stream, it should use http.MaxBytesReader to limit the size (fixed)
  2. ctx.Req.ParseMultipartForm(setting.Attachment.MaxSize << 20) is not right, it will make Gitea OOM (fixed)
  3. UploadFileToServer doesn't check the size limit either, I just left a FIXME and didn't make more changes in this PR
    • Feel free to properly fix it

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged labels Oct 11, 2025
@wxiaoguang wxiaoguang requested a review from 6543 October 11, 2025 18:14
@GiteaBot GiteaBot removed the lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. label Oct 11, 2025
@wxiaoguang wxiaoguang requested a review from lunny October 11, 2025 18:14
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 11, 2025
6543
6543 requested changes Oct 11, 2025
View reviewed changes
Copy link
Member

@6543 6543 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

errors.Is dont work now

creating custom errors is fine and all but we should work with golangs error handling system witch means that we should cover unwrap and is interface

@GiteaBot GiteaBot added lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Oct 11, 2025
@wxiaoguang
Copy link
Contributor

errors.Is dont work now (just revert commit looked at jet)

What do you mean by "errors.Is dont work now"?

@6543
Copy link
Member

6543 commented Oct 11, 2025

i will have time tomorrow, review via mobule is horrible

@wxiaoguang
Copy link
Contributor

creating custom errors is fine and all but we should work with golangs error handling system witch means that we should cover unwrap and is interface

Isn't it what I have done? I don't see any problem.

image

@wxiaoguang
Copy link
Contributor

errors.Is dont work now

What do you mean by "errors.Is dont work now"?

creating custom errors is fine and all but we should work with golangs error handling system witch means that we
should cover unwrap and is interface

Isn't it what I have done? I don't see any problem.

i will have time tomorrow, review via mobule is horrible

@6543 so where is the problem? I think you misunderstood the "golangs error handling system". If no problem, dismiss the change request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@6543 6543 6543 requested changes

@lunny lunny lunny approved these changes

@wxiaoguang wxiaoguang Awaiting requested review from wxiaoguang

Assignees

No one assigned

Labels

backport/v1.25 lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code type/bug

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

Attachment size limit in app.ini not enforced for REST API uploads

6 participants

@a1012112796 @techknowlogick @lunny @6543 @wxiaoguang @GiteaBot