Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attachment length is undefined in validation function #1320

Closed
OldSneerJaw opened this issue May 9, 2018 · 1 comment
Closed

Attachment length is undefined in validation function #1320

OldSneerJaw opened this issue May 9, 2018 · 1 comment
Labels
wontfix

Comments

@OldSneerJaw
Copy link

OldSneerJaw commented May 9, 2018
edited
Loading

Expected Behavior

When a new attachment (e.g. my-attachment.txt) is added to a document by way of the PUT /db/doc/attachment endpoint, the length/size of the attachment should be exposed to the validation function by way of the newDoc._attachments['my-attachment.txt'].length field.

Current Behavior

In the case described above, the newDoc._attachments['my-attachment.txt'].length field has a value of undefined when the attachment is first added. However, on subsequent revisions to the document, the newDoc._attachments['my-attachment.txt'].length field is correctly populated with the length of the file in the validation function. For example, consider the following sequence of events:

  1. Document A is created in revision 1 with some arbitrary content
  2. Attachment my-attachment.txt is added to document A via PUT /db/doc/attachment in revision 2
  3. The content of document A is replaced in revision 3

In step 2, the attachment object's length will be undefined when the validation function is executed. But in step 3, the attachment object's length will have the correct integer value when the validation function is executed.

Steps to Reproduce

  1. Add a design document with the following validation function:
function(newDoc, oldDoc) { 
  var names = Object.keys(newDoc._attachments); 
  for (var nameIndex = 0; nameIndex < names.length; nameIndex++) { 
    var name = names[nameIndex]; 
    var attachment = newDoc._attachments[name]; 
    if (attachment.length > 25) { 
      throw { forbidden: 'Maximum attachment length (25 bytes) exceeded by ' + name }; 
    } 
  }
}
  1. Add an attachment that exceeds the 25 byte limit defined in the validation function. Much to my chagrin, it will be allowed.
PUT /test/attachment-length-test/foo.txt HTTP/1.1
Host: localhost:5984
Content-Type: text/plain
Authorization: Basic ********

This is a simple text file whose length exceeds 25 bytes.
  1. Attempt to add a second attachment that does not violate the constraint:
PUT /test/attachment-length-test/bar.txt?rev=1-0300ab1eae40ff6acda7c8772ed7a3e7 HTTP/1.1
Host: localhost:5984
Content-Type: text/plain
Authorization: Basic ********

This is short enough!

The request will be rejected with the following response, indicating that the attachment that was added in the previous operation (foo.txt) is too large:

{
    "error": "forbidden",
    "reason": "Maximum attachment length (25 bytes) exceeded by foo.txt"
}

Context

This issue prevents fine-grained control by the validation function over the maximum size of each individual attachment or the maximum size of all attachments combined since the size of each attachment as it is being added is undefined. For instance, one might want their validation function to prevent document attachments larger than 100KB and to ensure that all attachments combined are no larger than 500KB to prevent malicious/clueless users from filling up the DB's hard drive.

Your Environment
@wohali wohali added the wontfix label May 9, 2018
@wohali
Copy link
Member

wohali commented May 9, 2018
edited
Loading

2.2.0 and forward will have a new way of defining maximum document sizes and may or may not have maximum allowed attachment sizes as well. See for reference: #1253 #1200

These will, however, be set at a server-wide level, not on a per-database setting.

Unfortunately, the view server (couchjs) subsystem intentionally has no facility for accessing information as regards attachments. This was done intentionally very early on in CouchDB's development to ensure rapid performance of view building, even when attachments are large. We don't expect this to change any time soon.

I hate to close this as a wontfix, but I hope that the above will provide some hope that you'll be able to achieve what you want soon. I would encourage you to comment on #1253 with your thoughts, and any enhancements you might think would be useful, so that we can enforce useful limits without having to resort to an inefficient VDU.

@wohali wohali closed this as completed May 9, 2018
OldSneerJaw added a commit to OldSneerJaw/couchster that referenced this issue May 9, 2018
@OldSneerJaw
Issue #19: Remove documentation for attachment size constraints
98b5078 
The attachment size constraints (i.e. `attachmentConstraints.maximumIndividualSize`, `attachmentConstraints.maximumTotalSize` and the `attachmentReference` validation type's `maximumSize`) cannot be applied correctly to CouchDB documents due to a performance optimization that makes it impossible for a validation function to determine the size of an attachment as it is being created ([more info](apache/couchdb#1320)). The documentation has been updated to remove mention of the attachment size constraints, since they cannot be enforced. They will be removed from the code altogether in the future.
This was referenced May 9, 2018
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wohali @OldSneerJaw