9.1. File Upload Standard
9.1.1. File Size Limits
File upload size limits must be configured in application.yml.
yaml
spring:
servlet:
multipart:
max-file-size: 10MB
max-request-size: 50MB| Setting | Default | Description |
|---|---|---|
max-file-size | 10MB | Maximum size for a single file |
max-request-size | 50MB | Maximum size for an entire request (including multiple files) |
9.1.2. Allowed Extensions / MIME Type Validation
Both file extensions and MIME types must be validated. Validating extensions alone is susceptible to forgery.
java
@ConfigurationProperties(prefix = "app.storage")
public record StorageProperties(
String uploadPath,
long maxFileSize,
List<String> allowedExtensions,
List<String> allowedMimeTypes
) {}yaml
app:
storage:
upload-path: /data/uploads
max-file-size: 10485760
allowed-extensions:
- pdf
- png
- jpg
- jpeg
- gif
- xlsx
- docx
allowed-mime-types:
- application/pdf
- image/png
- image/jpeg
- image/gif
- application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
- application/vnd.openxmlformats-officedocument.wordprocessingml.document9.1.3. Filename Handling
Uploaded files must be stored using a UUID-based storage name, while the original filename is preserved as metadata.
java
public class FileNameGenerator {
public static String generate(String originalFilename) {
String extension = extractExtension(originalFilename);
return UUID.randomUUID() + "." + extension;
}
private static String extractExtension(String filename) {
int lastDot = filename.lastIndexOf('.');
if (lastDot == -1) {
throw new InvalidFileException("Files without an extension cannot be uploaded.");
}
return filename.substring(lastDot + 1).toLowerCase();
}
}| Item | Rule |
|---|---|
| Stored filename | UUID + extension (550e8400-e29b-41d4-a716-446655440000.pdf) |
| Original filename | Stored separately in the database |
| Extension | Normalized to lowercase |