The files manipulated by the system and the users
must have defined a maximum file size (5MB recommended).
When a system allows to upload or attach files to be stored,
the maximum file size limit must be defined for these files,
to avoid issues
involving the availability of the service
and reducing the chance that an attacker
may upload a file containing malicious software.
In order to define the file size limit,
you must first define the information storage needs,
and the infrastructure size.
The company can set a default file size
for information management,
and define the exceptions they deem necessary
to increase the admitted file size,
but always keeping a defined limit
to avoid denial-of-service attacks
caused by abusing the system storage.
An application allows the upload and storage of files.
A user continuously uploads large size files
until they cause a denial of service
because of the lack of space in the system.
CWE-400: Uncontrolled Resource Consumption.
The software does not properly control the allocation and maintenance of a
thereby enabling an actor to influence the amount of resources consumed,
eventually leading to the exhaustion of available resources.