[
https://issues.apache.org/jira/browse/JAMES-3925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoit Tellier closed JAMES-3925.
---------------------------------
Resolution: Fixed
> JMAP quota for uploads
> ----------------------
>
> Key: JAMES-3925
> URL: https://issues.apache.org/jira/browse/JAMES-3925
> Project: James Server
> Issue Type: New Feature
> Affects Versions: 3.8.0
> Reporter: Benoit Tellier
> Priority: Major
> Fix For: master
>
> Time Spent: 12h 10m
> Remaining Estimate: 0h
>
> h3. Why?
> As a james user, I want to set up a SaaS mail offer.
> As such, I can't control my SaaS users, I have limited prior control on them,
> and little retorsion mechanisms. As such I cannot assert that they are good
> actors, as I would for instance for an on-premise deployment.
> It turns out the JMAP uploads offer a simple binary store that is currently
> not limited by James. As such it would be trivial for an attacker to exploit
> this to store unlimited amount of data.
> The way to counter such a threat is to set up a quota on users uploads.
> h3. How?
> - Store the current size of total user uploads. Cassandra and memory
> implementation.
> - Have a global limit (configured)
> - Enforce the quota checks upon uploads. Upon upload deletion.
> - Expose a webadmin API to see user quota usage for JMAP uploads.
> h3. Definition of done
> JMAP integration tests rejecting offending over-quota uploads.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
