Benoit Tellier created JAMES-3925:
-------------------------------------
Summary: JMAP quota for uploads
Key: JAMES-3925
URL: https://issues.apache.org/jira/browse/JAMES-3925
Project: James Server
Issue Type: New Feature
Affects Versions: 3.8.0
Reporter: Benoit Tellier
Fix For: master
h3. Why?
As a james user, I want to set up a SaaS mail offer.
As such, I can't control my SaaS users, I have limited prior control on them,
and little retorsion mechanisms. As such I cannot assert that they are good
actors, as I would for instance for an on-premise deployment.
It turns out the JMAP uploads offer a simple binary store that is currently not
limited by James. As such it would be trivial for an attacker to exploit this
to store unlimited amount of data.
The way to counter such a threat is to set up a quota on users uploads.
h3. How?
- Store the current size of total user uploads. Cassandra and memory
implementation.
- Have a global limit (configured)
- Enforce the quota checks upon uploads. Upon upload deletion.
- Expose a webadmin API to see user quota usage for JMAP uploads.
h3. Definition of done
JMAP integration tests rejecting offending over-quota uploads.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
