Prevent Disk Space Exhaustion
- 3 minutes to read
In a disk space exhaustion attack (a form of Denial of Service (DoS) attack), a threat actor overwhelms a target server with files designed to consume all available disk space. This topic describes how to protect your server and reduce CWE-400-related security risks.
Limit Uploaded File Size
The following table lists DevExpress ASP.NET MVC extensions that support file upload operations:
Extension | Uploaded File Size Limit |
|---|---|
Unlimited | |
30 MB | |
No limit for document file size, but 30MB+ image cannot be inserted into the document. |
If file size exceeds limits, file validation fails and the extension displays an error message. Specify the extension’s MaxFileSize validation setting to set the maximum allowed size for uploaded files. The MaxFileSizeErrorText property allows you to customize error text.
@Html.DevExpress().FileManager(settings => {
settings.Name = "fileManager";
settings.DownloadRouteValues = new { Controller = "FileManager", Action = "DownloadFiles" };
settings.CallbackRouteValues = new { Controller = "FileManager", Action = "FileManagerPartial" };
settings.SettingsUpload.ValidationSettings.MaxFileSize = 4000000;
settings.SettingsUpload.ValidationSettings.MaxFileSizeErrorText = "File size exceeds the 4MB";
// ...
}).BindToFolder(Model).GetHtml()
For the Upload Control extension, you should specify the maximum allowed size both in view and controller code. To do the latter, implement a custom model binder that initializes the MaxFileSize setting:
@using (Html.BeginForm()) {
@Html.DevExpress().UploadControl(settings => {
settings.Name = "uploadControl";
settings.CallbackRouteValues = new { Controller = "UploadFiles", Action = "UploadFilesHandler" };
settings.ShowUploadButton = true;
settings.ValidationSettings.MaxFileSize = 4000000;
settings.ValidationSettings.MaxFileSizeErrorText = "File size exceeds the 4MB";
}).GetHtml()
}
public class UploadFilesController : Controller {
public ActionResult UploadFilesHandler([ModelBinder(typeof(UploadFilesBinder))] IEnumerable<UploadedFile> uploadControl) {
return null;
}
public class UploadFilesBinder : DevExpressEditorsBinder {
public UploadFilesBinder() {
UploadControlBinderSettings.ValidationSettings.MaxFileSize = 4000000;
}
}
}
Refer to the following topic for additional information on maximum file size: Uploading Large Files.
Use Stream to Access Large File Content
The Upload Control’s FileUploadComplete and FilesUploadComplete events allow you to access uploaded files. If you allow users to upload large files, use the FileContent event argument to access file contents:
@using(Html.BeginForm()) {
@Html.DevExpress().UploadControl(settings => {
settings.Name = "uploadControl";
settings.CallbackRouteValues = new {Controller = "UploadFiles", Action = "UploadFilesHandler"};
settings.ShowUploadButton = true;
settings.UploadMode = UploadControlUploadMode.Advanced;
settings.AdvancedModeSettings.EnableMultiSelect = true;
}).GetHtml()
}
public class UploadFilesController : Controller {
public ActionResult UploadFilesHandler([ModelBinder(typeof(UploadFilesBinder))] IEnumerable<UploadedFile> uploadControl) {
return null;
}
public class UploadFilesBinder : DevExpressEditorsBinder {
public UploadFilesBinder() {
UploadControlBinderSettings.FilesUploadCompleteHandler = uploadControl_FilesUploadComplete;
}
private void uploadControl_FilesUploadComplete(object sender, FilesUploadCompleteEventArgs e) {
var uploadedFiles = ((MVCxUploadControl)sender).UploadedFiles;
if (uploadedFiles != null && uploadedFiles.Length > 0) {
for (int i = 0; i < uploadedFiles.Length; i++) {
UploadedFile file = (UploadedFile)uploadedFiles[i];
if (file.IsValid && file.FileName != "") {
using (var stream = file.FileContent) {
// Process files here
}
}
}
}
}
}
}