Prevent Disk Space Exhaustion

Aug 23, 2024
2 minutes to read

In a disk space exhaustion attack (a form of Denial of Service (DoS) attack), a threat actor overwhelms a target server with files designed to consume all available disk space. This topic describes how to protect your server and reduce CWE-400-related security risks.

Limit Uploaded File Size

The following table lists DevExpress ASP.NET Web Forms controls that support file upload operations:

Control

Uploaded File Size Limit

| | --- | --- | |

Binary Image, File Manager, Upload Control

Unlimited

| |

Html Editor

30 MB

| |

Rich Text Editor, Spreadsheet

No limit for document file size, but 30MB+ image cannot be inserted into the document.

If file size exceeds limits, file validation fails and the control displays an error message. Specify the control’s MaxFileSize validation setting to set the maximum allowed size for uploaded files. The MaxFileSizeErrorText property allows you to customize error text.

ASPX

aspx

<dx:ASPxBinaryImage ID="BinaryImage" runat="server">
    <EditingSettings Enabled="true">
        <UploadSettings>
            <UploadValidationSettings MaxFileSize="4000000" MaxFileSizeErrorText="File size exceeds the 4MB"/>
        </UploadSettings>
    </EditingSettings>
</dx:ASPxBinaryImage>

Refer to the following topic for additional information on maximum file size: Uploading Large Files.

Use Stream to Access Large File Content

The Upload Control’s FileUploadComplete and FilesUploadComplete events allow you to access uploaded files. If you allow users to upload large files, use the FileContent event argument to access file contents:

ASPX

aspx

<dx:ASPxUploadControl ID="UploadControl" runat="server" UploadMode="Advanced" ShowUploadButton="True"
    OnFilesUploadComplete="FilesUploadComplete">
    <AdvancedModeSettings EnableMultiSelect="True" />
</dx:ASPxUploadControl>

C#
VB.NET

protected void FilesUploadComplete(object sender, DevExpress.Web.FilesUploadCompleteEventArgs e) {
    if (UploadControl.UploadedFiles != null && UploadControl.UploadedFiles.Length > 0) {
        for(int i = 0; i < UploadControl.UploadedFiles.Length; i++) {
            UploadedFile file = (UploadedFile)UploadControl.UploadedFiles[i];
            if (file.IsValid && file.FileName != "") {
                using (var stream = file.FileContent) {
                    // Process files here
                }
            }
        }
    }
}

Protected Sub FilesUploadComplete(ByVal sender As Object, ByVal e As DevExpress.Web.FilesUploadCompleteEventArgs)
    If UploadControl.UploadedFiles IsNot Nothing AndAlso UploadControl.UploadedFiles.Length > 0 Then
        For i As Integer = 0 To UploadControl.UploadedFiles.Length - 1
            Dim file As UploadedFile = UploadControl.UploadedFiles(i)
            If file.IsValid AndAlso file.FileName <> "" Then
                Using stream = file.FileContent
                    ' Process files here
                End Using
            End If
        Next
    End If
End Sub