[prev in list] [next in list] [prev in thread] [next in thread]
List: james-dev
Subject: [jira] [Comment Edited] (JAMES-3925) JMAP quota for uploads
From: "Benoit Tellier (Jira)" <server-dev () james ! apache ! org>
Date: 2023-08-17 13:57:00
Message-ID: JIRA.13543363.1689212218000.12143.1692280620008 () Atlassian ! JIRA
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/JAMES-3925?page=com.atlassian.jira.plugin. \
system.issuetabpanels:comment-tabpanel&focusedCommentId=17755560#comment-17755560 ]
Benoit Tellier edited comment on JAMES-3925 at 8/17/23 1:56 PM:
----------------------------------------------------------------
FYI as their is some interesting design considerations behind this proposal, I did \
write an ADR about this topic.
ADR:
https://github.com/apache/james-project/pull/1688
was (Author: btellier):
FYI as their is some interesting design considerations behind this proposal, I did \
write an ADR about this topi.
ADR:
https://github.com/apache/james-project/pull/1688
> JMAP quota for uploads
> ----------------------
>
> Key: JAMES-3925
> URL: https://issues.apache.org/jira/browse/JAMES-3925
> Project: James Server
> Issue Type: New Feature
> Affects Versions: 3.8.0
> Reporter: Benoit Tellier
> Priority: Major
> Fix For: master
>
>
> h3. Why?
> As a james user, I want to set up a SaaS mail offer.
> As such, I can't control my SaaS users, I have limited prior control on them, and \
> little retorsion mechanisms. As such I cannot assert that they are good actors, as \
> I would for instance for an on-premise deployment. It turns out the JMAP uploads \
> offer a simple binary store that is currently not limited by James. As such it \
> would be trivial for an attacker to exploit this to store unlimited amount of data. \
> The way to counter such a threat is to set up a quota on users uploads. h3. How?
> - Store the current size of total user uploads. Cassandra and memory \
> implementation.
> - Have a global limit (configured)
> - Enforce the quota checks upon uploads. Upon upload deletion.
> - Expose a webadmin API to see user quota usage for JMAP uploads.
> h3. Definition of done
> JMAP integration tests rejecting offending over-quota uploads.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic