rusackas opened a new pull request, #40860: URL: https://github.com/apache/superset/pull/40860
### SUMMARY `UploadCommand.validate()` (used by the CSV / Excel / columnar upload flows) validated database and schema permissions but never checked the **size** of the uploaded file. A large file would be read fully into memory (BytesIO buffers, then a pandas DataFrame) before any bound was applied. This adds an **opt-in** size limit: | Config | Default | |--------|---------| | `UPLOAD_MAX_FILE_SIZE_BYTES` | `None` (no limit) | It defaults to `None`, which keeps the previous behavior (no limit). When set to a byte value, a file larger than the limit is rejected in `validate()` with a `413` (`DatabaseUploadFileTooLarge`) before its contents are read. The size is measured by seeking the upload stream and restoring its position, so it does not consume the file. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — backend validation, config-gated. ### TESTING INSTRUCTIONS ``` pytest tests/unit_tests/commands/databases/upload_command_test.py ``` New tests: size helper does not consume the stream; a file over the limit is rejected; a file within the limit passes; no limit configured means no rejection. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [x] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
