From 9622d5de06569c71d7e512779699815cea964c25 Mon Sep 17 00:00:00 2001
From: MaysWind <i@mayswind.net>
Date: Fri, 6 Sep 2024 23:34:35 +0800
Subject: [PATCH] limit the maximum size of upload pictures

---
 conf/ezbookkeeping.ini          | 6 ++++++
 pkg/api/transaction_pictures.go | 5 +++++
 pkg/api/users.go                | 5 +++++
 pkg/errs/transaction.go         | 1 +
 pkg/errs/user.go                | 1 +
 pkg/settings/setting.go         | 8 ++++++++
 src/locales/en.json             | 2 ++
 src/locales/zh_Hans.json        | 2 ++
 8 files changed, 30 insertions(+)

diff --git a/conf/ezbookkeeping.ini b/conf/ezbookkeeping.ini
index 607b49d8..1e05e983 100644
--- a/conf/ezbookkeeping.ini
+++ b/conf/ezbookkeeping.ini
@@ -202,6 +202,9 @@ forget_password_require_email_verify = false
 # Set to true to allow users to upload transaction pictures
 enable_transaction_picture = true
 
+# Maximum allowed transaction picture file size (1 - 4294967295 bytes)
+max_transaction_picture_size = 10485760
+
 # Set to true to allow users to create scheduled transaction
 enable_scheduled_transaction = true
 
@@ -211,6 +214,9 @@ enable_scheduled_transaction = true
 # Leave blank if you want to disable user avatar
 avatar_provider = internal
 
+# For "internal" avatar provider only, maximum allowed user avatar file size (1 - 4294967295 bytes)
+max_user_avatar_size = 1048576
+
 [data]
 # Set to true to allow users to export their data
 enable_export = true
diff --git a/pkg/api/transaction_pictures.go b/pkg/api/transaction_pictures.go
index d36e2bea..2f87b8b3 100644
--- a/pkg/api/transaction_pictures.go
+++ b/pkg/api/transaction_pictures.go
@@ -55,6 +55,11 @@ func (a *TransactionPicturesApi) TransactionPictureUploadHandler(c *core.WebCont
 		return nil, errs.ErrTransactionPictureIsEmpty
 	}
 
+	if pictureFiles[0].Size > int64(a.CurrentConfig().MaxTransactionPictureFileSize) {
+		log.Warnf(c, "[transaction_pictures.TransactionPictureUploadHandler] the upload file size \"%d\" exceeds the maximum size \"%d\" of transaction picture for user \"uid:%d\"", pictureFiles[0].Size, a.CurrentConfig().MaxTransactionPictureFileSize, uid)
+		return nil, errs.ErrExceedMaxTransactionPictureFileSize
+	}
+
 	fileExtension := utils.GetFileNameExtension(pictureFiles[0].Filename)
 
 	if utils.GetImageContentType(fileExtension) == "" {
diff --git a/pkg/api/users.go b/pkg/api/users.go
index 001d871f..f5db46d0 100644
--- a/pkg/api/users.go
+++ b/pkg/api/users.go
@@ -544,6 +544,11 @@ func (a *UsersApi) UserUpdateAvatarHandler(c *core.WebContext) (any, *errs.Error
 		return nil, errs.ErrUserAvatarIsEmpty
 	}
 
+	if avatarFiles[0].Size > int64(a.CurrentConfig().MaxAvatarFileSize) {
+		log.Warnf(c, "[users.UserUpdateAvatarHandler] the upload file size \"%d\" exceeds the maximum size \"%d\" of user avatar for user \"uid:%d\"", avatarFiles[0].Size, a.CurrentConfig().MaxAvatarFileSize, uid)
+		return nil, errs.ErrExceedMaxUserAvatarFileSize
+	}
+
 	fileExtension := utils.GetFileNameExtension(avatarFiles[0].Filename)
 
 	if utils.GetImageContentType(fileExtension) == "" {
diff --git a/pkg/errs/transaction.go b/pkg/errs/transaction.go
index 517e16fb..9f9efe74 100644
--- a/pkg/errs/transaction.go
+++ b/pkg/errs/transaction.go
@@ -29,4 +29,5 @@ var (
 	ErrCannotUseHiddenTransactionTag                       = NewNormalError(NormalSubcategoryTransaction, 22, http.StatusBadRequest, "cannot use hidden transaction tag")
 	ErrTransactionHasTooManyTags                           = NewNormalError(NormalSubcategoryTransaction, 23, http.StatusBadRequest, "transaction has too many tags")
 	ErrTransactionHasTooManyPictures                       = NewNormalError(NormalSubcategoryTransaction, 24, http.StatusBadRequest, "transaction has too many pictures")
+	ErrExceedMaxTransactionPictureFileSize                 = NewNormalError(NormalSubcategoryTransaction, 25, http.StatusBadRequest, "exceed the maximum size of transaction picture file")
 )
diff --git a/pkg/errs/user.go b/pkg/errs/user.go
index b8298272..f61cd436 100644
--- a/pkg/errs/user.go
+++ b/pkg/errs/user.go
@@ -36,4 +36,5 @@ var (
 	ErrUserAvatarNoExists                                  = NewNormalError(NormalSubcategoryUser, 27, http.StatusNotFound, "user avatar not exists")
 	ErrUserAvatarNotSet                                    = NewNormalError(NormalSubcategoryUser, 28, http.StatusNotFound, "user avatar not set")
 	ErrUserAvatarExtensionInvalid                          = NewNormalError(NormalSubcategoryUser, 29, http.StatusNotFound, "user avatar file extension invalid")
+	ErrExceedMaxUserAvatarFileSize                         = NewNormalError(NormalSubcategoryUser, 30, http.StatusBadRequest, "exceed the maximum size of user avatar file")
 )
diff --git a/pkg/settings/setting.go b/pkg/settings/setting.go
index 50c61b3f..c93bf7ef 100644
--- a/pkg/settings/setting.go
+++ b/pkg/settings/setting.go
@@ -135,6 +135,9 @@ const (
 	defaultEmailVerifyTokenExpiredTime   uint32 = 3600    // 60 minutes
 	defaultPasswordResetTokenExpiredTime uint32 = 3600    // 60 minutes
 
+	defaultTransactionPictureFileMaxSize uint32 = 10485760 // 10MB
+	defaultUserAvatarFileMaxSize         uint32 = 1048576  // 1MB
+
 	defaultExchangeRatesDataRequestTimeout uint32 = 10000 // 10 seconds
 )
 
@@ -273,8 +276,10 @@ type Config struct {
 	EnableUserForgetPassword         bool
 	ForgetPasswordRequireVerifyEmail bool
 	EnableTransactionPictures        bool
+	MaxTransactionPictureFileSize    uint32
 	EnableScheduledTransaction       bool
 	AvatarProvider                   core.UserAvatarProviderType
+	MaxAvatarFileSize                uint32
 
 	// Data
 	EnableDataExport bool
@@ -743,6 +748,7 @@ func loadUserConfiguration(config *Config, configFile *ini.File, sectionName str
 	config.EnableUserForgetPassword = getConfigItemBoolValue(configFile, sectionName, "enable_forget_password", false)
 	config.ForgetPasswordRequireVerifyEmail = getConfigItemBoolValue(configFile, sectionName, "forget_password_require_email_verify", false)
 	config.EnableTransactionPictures = getConfigItemBoolValue(configFile, sectionName, "enable_transaction_picture", false)
+	config.MaxTransactionPictureFileSize = getConfigItemUint32Value(configFile, sectionName, "max_transaction_picture_size", defaultTransactionPictureFileMaxSize)
 	config.EnableScheduledTransaction = getConfigItemBoolValue(configFile, sectionName, "enable_scheduled_transaction", false)
 
 	if getConfigItemStringValue(configFile, sectionName, "avatar_provider") == string(core.USER_AVATAR_PROVIDER_INTERNAL) {
@@ -755,6 +761,8 @@ func loadUserConfiguration(config *Config, configFile *ini.File, sectionName str
 		return errs.ErrInvalidAvatarProvider
 	}
 
+	config.MaxAvatarFileSize = getConfigItemUint32Value(configFile, sectionName, "max_user_avatar_size", defaultUserAvatarFileMaxSize)
+
 	return nil
 }
 
diff --git a/src/locales/en.json b/src/locales/en.json
index 71580070..9c420926 100644
--- a/src/locales/en.json
+++ b/src/locales/en.json
@@ -1008,6 +1008,7 @@
         "user avatar not exists": "User avatar does not exist",
         "user avatar not set": "User avatar is not set",
         "user avatar file extension invalid": "User avatar file extension is invalid",
+        "exceed the maximum size of user avatar file": "The uploaded user avatar exceeds the maximum allowed file size",
         "unauthorized access": "Unauthorized access",
         "current token is invalid": "Current token is invalid",
         "current token is expired": "Current token is expired",
@@ -1067,6 +1068,7 @@
         "cannot use hidden transaction tag": "You cannot use hidden transaction tag",
         "transaction has too many tags": "There are too many tags in this transaction",
         "transaction has too many pictures": "There are too many pictures in this transaction",
+        "exceed the maximum size of transaction picture file": "The uploaded transaction picture exceeds the maximum allowed file size",
         "transaction category id is invalid": "Transaction category ID is invalid",
         "transaction category not found": "Transaction category is not found",
         "transaction category type is invalid": "Transaction category type is invalid",
diff --git a/src/locales/zh_Hans.json b/src/locales/zh_Hans.json
index 3db33af5..656babf7 100644
--- a/src/locales/zh_Hans.json
+++ b/src/locales/zh_Hans.json
@@ -1008,6 +1008,7 @@
         "user avatar not exists": "用户头像不存在",
         "user avatar not set": "用户没有设置头像",
         "user avatar file extension invalid": "用户头像文件扩展名无效",
+        "exceed the maximum size of user avatar file": "上传的用户头像超出了允许的最大文件大小",
         "unauthorized access": "未授权的登录",
         "current token is invalid": "当前认证令牌无效",
         "current token is expired": "当前认证令牌已过期",
@@ -1067,6 +1068,7 @@
         "cannot use hidden transaction tag": "您不能使用隐藏的交易标签",
         "transaction has too many tags": "交易中的标签过多",
         "transaction has too many pictures": "交易中的图片过多",
+        "exceed the maximum size of transaction picture file": "上传的交易图片超出了允许的最大文件大小",
         "transaction category id is invalid": "交易分类ID无效",
         "transaction category not found": "交易分类不存在",
         "transaction category type is invalid": "交易分类类型无效",