Skip to content

fix: enforce FILE_SIZE_LIMIT on published Space asset upload #9242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sriramveeraghanta wants to merge 2 commits into
base: preview
Choose a base branch
from
+15 −4
Open

fix: enforce FILE_SIZE_LIMIT on published Space asset upload #9242

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5b37cac
fix(api): enforce FILE_SIZE_LIMIT on published Space asset upload
sriramveeraghanta Jun 16, 2026
f8a918e
fix(api): clamp Space asset size to a valid lower bound
sriramveeraghanta Jun 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 15 additions & 4 deletions apps/api/plane/space/views/asset.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,10 +76,21 @@ def post(self, request, anchor):
# Get the asset
name = sanitize_filename(request.data.get("name")) or "unnamed"
type = request.data.get("type", "image/jpeg")
size = int(request.data.get("size", settings.FILE_SIZE_LIMIT))
try:
size = int(request.data.get("size", settings.FILE_SIZE_LIMIT))
except (TypeError, ValueError):
return Response(
{"error": "Invalid size.", "status": False},
status=status.HTTP_400_BAD_REQUEST,
)
entity_type = request.data.get("entity_type", "")
entity_identifier = request.data.get("entity_identifier")

# Clamp the client-provided size to [1, FILE_SIZE_LIMIT] so the signed
# upload policy cannot exceed the instance limit and always carries a
# valid content-length-range bound
size_limit = max(1, min(size, settings.FILE_SIZE_LIMIT))

# Check if the entity type is allowed
if entity_type not in FileAsset.EntityTypeContext.values:
return Response(
Expand Down Expand Up @@ -109,9 +120,9 @@ def post(self, request, anchor):

# Create a File Asset
asset = FileAsset.objects.create(
attributes={"name": name, "type": type, "size": size},
attributes={"name": name, "type": type, "size": size_limit},
asset=asset_key,
size=size,
size=size_limit,
workspace=deploy_board.workspace,
created_by=request.user,
entity_type=entity_type,
Expand All @@ -122,7 +133,7 @@ def post(self, request, anchor):
# Get the presigned URL
storage = S3Storage(request=request)
# Generate a presigned URL to share an S3 object
presigned_url = storage.generate_presigned_post(object_name=asset_key, file_type=type, file_size=size)
presigned_url = storage.generate_presigned_post(object_name=asset_key, file_type=type, file_size=size_limit)
# Return the presigned URL
return Response(
{
Expand Down
Loading