Uploaded image for project: 'James Server'
  1. James Server
  2. JAMES-3925

JMAP quota for uploads

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.8.0
    • master
    • None
    • None

    Description

      Why?

      As a james user, I want to set up a SaaS mail offer.

      As such, I can't control my SaaS users, I have limited prior control on them, and little retorsion mechanisms. As such I cannot assert that they are good actors, as I would for instance for an on-premise deployment.

      It turns out the JMAP uploads offer a simple binary store that is currently not limited by James. As such it would be trivial for an attacker to exploit this to store unlimited amount of data.

      The way to counter such a threat is to set up a quota on users uploads.

      How?

      • Store the current size of total user uploads. Cassandra and memory implementation.
      • Have a global limit (configured)
      • Enforce the quota checks upon uploads. Upon upload deletion.
      • Expose a webadmin API to see user quota usage for JMAP uploads.

      Definition of done

      JMAP integration tests rejecting offending over-quota uploads.

      Attachments

        Activity

          People

            Unassigned Unassigned
            btellier Benoit Tellier
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 12h 10m
                12h 10m