bito-code-review[bot] commented on PR #40860:
URL: https://github.com/apache/superset/pull/40860#issuecomment-4651509042
<!-- Bito Reply -->
The flagged security issue is correct. The current implementation only
enforces `UPLOAD_MAX_FILE_SIZE_BYTES` within `UploadCommand.validate()`, which
is bypassed by the metadata endpoint (`/api/v1/database/upload_metadata/`) as
it calls reader `file_metadata()` methods directly without invoking the command
validation.
To resolve this, you should centralize the file size check. A recommended
approach is to move the `_file_size_bytes` helper and the size validation logic
into a shared utility or a base class method that both the `UploadCommand` and
the metadata endpoint can invoke before processing the file. This ensures
consistent enforcement across all entry points.
I have reviewed the PR comments and there are no other pending review
comments in the provided context. Would you like me to proceed with
implementing this centralized validation fix?
**superset/commands/database/uploaders/base.py**
```
@staticmethod
def _file_size_bytes(file: Any) -> int:
"""Return the size of an uploaded file without consuming its
stream."""
stream = getattr(file, "stream", file)
position = stream.tell()
stream.seek(0, 2) # seek to end
size = stream.tell()
stream.seek(position) # restore the original position
return size
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
