limit the maximum size of upload pictures

pkg/api/transaction_pictures.go

@@ -55,6 +55,11 @@ func (a *TransactionPicturesApi) TransactionPictureUploadHandler(c *core.WebCont
 		return nil, errs.ErrTransactionPictureIsEmpty
 	}
 
+	if pictureFiles[0].Size > int64(a.CurrentConfig().MaxTransactionPictureFileSize) {
+		log.Warnf(c, "[transaction_pictures.TransactionPictureUploadHandler] the upload file size \"%d\" exceeds the maximum size \"%d\" of transaction picture for user \"uid:%d\"", pictureFiles[0].Size, a.CurrentConfig().MaxTransactionPictureFileSize, uid)
+		return nil, errs.ErrExceedMaxTransactionPictureFileSize
+	}
+
 	fileExtension := utils.GetFileNameExtension(pictureFiles[0].Filename)
 
 	if utils.GetImageContentType(fileExtension) == "" {

pkg/api/users.go

@@ -544,6 +544,11 @@ func (a *UsersApi) UserUpdateAvatarHandler(c *core.WebContext) (any, *errs.Error
 		return nil, errs.ErrUserAvatarIsEmpty
 	}
 
+	if avatarFiles[0].Size > int64(a.CurrentConfig().MaxAvatarFileSize) {
+		log.Warnf(c, "[users.UserUpdateAvatarHandler] the upload file size \"%d\" exceeds the maximum size \"%d\" of user avatar for user \"uid:%d\"", avatarFiles[0].Size, a.CurrentConfig().MaxAvatarFileSize, uid)
+		return nil, errs.ErrExceedMaxUserAvatarFileSize
+	}
+
 	fileExtension := utils.GetFileNameExtension(avatarFiles[0].Filename)
 
 	if utils.GetImageContentType(fileExtension) == "" {

pkg/errs/transaction.go

@@ -29,4 +29,5 @@ var (
 	ErrCannotUseHiddenTransactionTag                       = NewNormalError(NormalSubcategoryTransaction, 22, http.StatusBadRequest, "cannot use hidden transaction tag")
 	ErrTransactionHasTooManyTags                           = NewNormalError(NormalSubcategoryTransaction, 23, http.StatusBadRequest, "transaction has too many tags")
 	ErrTransactionHasTooManyPictures                       = NewNormalError(NormalSubcategoryTransaction, 24, http.StatusBadRequest, "transaction has too many pictures")
+	ErrExceedMaxTransactionPictureFileSize                 = NewNormalError(NormalSubcategoryTransaction, 25, http.StatusBadRequest, "exceed the maximum size of transaction picture file")
 )

pkg/errs/user.go

@@ -36,4 +36,5 @@ var (
 	ErrUserAvatarNoExists                                  = NewNormalError(NormalSubcategoryUser, 27, http.StatusNotFound, "user avatar not exists")
 	ErrUserAvatarNotSet                                    = NewNormalError(NormalSubcategoryUser, 28, http.StatusNotFound, "user avatar not set")
 	ErrUserAvatarExtensionInvalid                          = NewNormalError(NormalSubcategoryUser, 29, http.StatusNotFound, "user avatar file extension invalid")
+	ErrExceedMaxUserAvatarFileSize                         = NewNormalError(NormalSubcategoryUser, 30, http.StatusBadRequest, "exceed the maximum size of user avatar file")
 )

pkg/settings/setting.go

@@ -135,6 +135,9 @@ const (
 	defaultEmailVerifyTokenExpiredTime   uint32 = 3600    // 60 minutes
 	defaultPasswordResetTokenExpiredTime uint32 = 3600    // 60 minutes
 
+	defaultTransactionPictureFileMaxSize uint32 = 10485760 // 10MB
+	defaultUserAvatarFileMaxSize         uint32 = 1048576  // 1MB
+
 	defaultExchangeRatesDataRequestTimeout uint32 = 10000 // 10 seconds
 )
 
@@ -273,8 +276,10 @@ type Config struct {
 	EnableUserForgetPassword         bool
 	ForgetPasswordRequireVerifyEmail bool
 	EnableTransactionPictures        bool
+	MaxTransactionPictureFileSize    uint32
 	EnableScheduledTransaction       bool
 	AvatarProvider                   core.UserAvatarProviderType
+	MaxAvatarFileSize                uint32
 
 	// Data
 	EnableDataExport bool
@@ -743,6 +748,7 @@ func loadUserConfiguration(config *Config, configFile *ini.File, sectionName str
 	config.EnableUserForgetPassword = getConfigItemBoolValue(configFile, sectionName, "enable_forget_password", false)
 	config.ForgetPasswordRequireVerifyEmail = getConfigItemBoolValue(configFile, sectionName, "forget_password_require_email_verify", false)
 	config.EnableTransactionPictures = getConfigItemBoolValue(configFile, sectionName, "enable_transaction_picture", false)
+	config.MaxTransactionPictureFileSize = getConfigItemUint32Value(configFile, sectionName, "max_transaction_picture_size", defaultTransactionPictureFileMaxSize)
 	config.EnableScheduledTransaction = getConfigItemBoolValue(configFile, sectionName, "enable_scheduled_transaction", false)
 
 	if getConfigItemStringValue(configFile, sectionName, "avatar_provider") == string(core.USER_AVATAR_PROVIDER_INTERNAL) {
@@ -755,6 +761,8 @@ func loadUserConfiguration(config *Config, configFile *ini.File, sectionName str
 		return errs.ErrInvalidAvatarProvider
 	}
 
+	config.MaxAvatarFileSize = getConfigItemUint32Value(configFile, sectionName, "max_user_avatar_size", defaultUserAvatarFileMaxSize)
+
 	return nil
 }