Vaadin Flow - Upload Component

Hi, I have use case to make sure the filename is not too long or malformed! How to perform this action?
It also looks like someone can intercept this upload link! How to intercept the upload request to this link so I can add some rate limit logic?
Http Request Log:
POST /VAADIN/dynamic/resource/11/33ac6a40-bb49-461e-9b36-b38813187536/upload HTTP/2

You can do all your logic within the upload’s listener - like for example upload started listener. Keep in mind that this won’t help you with malicious actors, there you need a proper WAF before your application.

Tester was able to access this path directly and upload multiple files including very long file name, malformed filename and then bombarded with multiple uploads

If there is any error in Upload we are always responding 500! Is there a way to change this status code and message?

That’s not possible, because it’s not intended for a human to access this endpoint. Please validate the corresponding uploads correctly on the server and send upload failed events. And use a WAF

@sanguine-whale might be interesting for you

Today I worked with Tester to setup Burp Suite testing tool and I was able to replicate their testing! I was able to intercept the Http POST Request, below is the url of the Upload Component and I am able to post directly to this endpoint

POST /VAADIN/dynamic/resource/1/37ae1726-b9a7-4f04-9a03-1f600a6638d0/upload

This in turn does calls the relevant Upload Component Listeners as you mentioned and I was able to implement Bucket4j Rate Limiting to limit the no.of request that I wanted to allow per min

Below is the snippet;

            if (rateLimiter.tryConsume(1)) {
                log.info("File upload started - File Name: " + startedEvent.getFileName());
                log.info("File upload size: " + startedEvent.getContentLength() + " bytes");
            } else {
                Notification notification = new Notification("You have reached the maximum upload limit. Please try again later.", 5000, Notification.Position.BOTTOM_START);
                notification.addThemeVariants(NotificationVariant.LUMO_ERROR);
                notification.open();
                upload.interruptUpload();

            }
        });```

And I was able to confirm my rate limit is working as expected from the Burp Suite as well, if bad actor is trying to intercept and send POST requests

image.png

One of the problem is the HTTP Response code! On the Upload Component Listener, when this code is executed upload.interruptUpload(); its sending 500 HTTP Status code but I wanted to change the status code to 429

Is this possible?

@quirky-zebra

That’s not possible with flow, you have to resort on a higher level - like e.g. custom servlet filter and afterwards you have to patch the client upload component because it expects the current value, making it total nightmare to maintain

@quirky-zebra I am able to change the HTTP Status code when its 200 but not when its 500

public class ApplicationServiceInitListener implements VaadinServiceInitListener {
    @Override
    public void serviceInit(ServiceInitEvent serviceInitEvent) {
        serviceInitEvent.addRequestHandler((session, request, response) -> {
            // RequestHandler to change how responses are handled
            if (request.getPathInfo().endsWith("upload")) {
                System.out.println("session = " + session.getService());
                System.out.println("request = " + request.getPathInfo());
                System.out.println("response = " + response.getService().getServiceName());
                response.setStatus(429);
            }
            return false;
        });
    }
}```

Currently a bad actor can post different http method against the upload url, is there a way to limit the http method request only to POST?