Skip to content

Harden multipart upload handling against Commons FileUpload header-based DoS#55

Draft
pagarwal-dev with Copilot wants to merge 3 commits into
mainfrom
copilot/upgrade-apache-commons-fileupload
Draft

Harden multipart upload handling against Commons FileUpload header-based DoS#55
pagarwal-dev with Copilot wants to merge 3 commits into
mainfrom
copilot/upgrade-apache-commons-fileupload

Conversation

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Commons FileUpload was pinned to a vulnerable release and upload handling relied on permissive defaults. This updates the dependency to a fixed version and adds explicit multipart limits to reduce exposure to malformed or header-heavy upload requests.

  • Dependency update

    • Upgrade commons-fileupload from 1.3.3 to 1.6.0
  • Multipart parser hardening

    • Centralize FileUpload construction behind a hardened factory method
    • Enforce limits for:
      • total request size
      • per-file size
      • file count
      • per-part header size
  • Application-level request limits

    • Add Spring multipart caps for file and request size
    • Add container-level HTTP header size cap
    • Clarify in config that multipart part-header enforcement remains in Commons FileUpload code
  • Regression coverage

    • Add a focused test asserting the configured upload limits and temp repository wiring
public static ServletFileUpload createSecureFileUpload() {
    DiskFileItemFactory factory = new DiskFileItemFactory();
    factory.setRepository(new File(System.getProperty("java.io.tmpdir")));

    ServletFileUpload upload = new ServletFileUpload(factory);
    upload.setFileSizeMax(5L * 1024 * 1024);
    upload.setSizeMax(10L * 1024 * 1024);
    upload.setFileCountMax(5L);
    upload.setPartHeaderSizeMax(512);
    return upload;
}

Copilot AI changed the title [WIP] Fix denial-of-service vulnerability in Apache Commons FileUpload Harden multipart upload handling against Commons FileUpload header-based DoS Jul 2, 2026
Copilot AI requested a review from pagarwal-dev July 2, 2026 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] [HIGH] Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers

2 participants