managedcode
diff --git a/‎Integraions/ManagedCode.Storage.Server/ChunkUpload/ChunkUploadService.cs‎
Lines changed: 27 additions & 1 deletion b/‎Integraions/ManagedCode.Storage.Server/ChunkUpload/ChunkUploadService.cs‎
Lines changed: 27 additions & 1 deletion
diff --git a/‎Integraions/ManagedCode.Storage.Server/Controllers/StorageControllerBase.cs‎
Lines changed: 42 additions & 0 deletions b/‎Integraions/ManagedCode.Storage.Server/Controllers/StorageControllerBase.cs‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎ManagedCode.Storage.Core/Models/LocalFile.cs‎
Lines changed: 143 additions & 3 deletions b/‎ManagedCode.Storage.Core/Models/LocalFile.cs‎
Lines changed: 143 additions & 3 deletions
diff --git a/‎ManagedCode.Storage.VirtualFileSystem/Core/VfsPath.cs‎
Lines changed: 9 additions & 0 deletions b/‎ManagedCode.Storage.VirtualFileSystem/Core/VfsPath.cs‎
Lines changed: 9 additions & 0 deletions
@@ -47,7 +47,10 @@ public async Task<Result> AppendChunkAsync(FileUploadPayload payload, Cancellati
         var descriptor = payload.Payload;
         var uploadId = ChunkUploadDescriptor.ResolveUploadId(descriptor);
 
-        var session = _sessions.GetOrAdd(uploadId, static (key, state) =>
+        // Sanitize upload ID to prevent path traversal
+        var sanitizedUploadId = SanitizeUploadId(uploadId);
+
+        var session = _sessions.GetOrAdd(sanitizedUploadId, static (key, state) =>
         {
             var descriptor = state.Payload;
             var workingDirectory = Path.Combine(state.Options.TempPath, key);
@@ -151,6 +154,29 @@ public void Abort(string uploadId)
         }
     }
 
+    private static string SanitizeUploadId(string uploadId)
+    {
+        if (string.IsNullOrWhiteSpace(uploadId))
+            throw new ArgumentException("Upload ID cannot be null or empty", nameof(uploadId));
+
+        // Remove any path traversal sequences
+        uploadId = uploadId.Replace("..", string.Empty, StringComparison.Ordinal);
+        uploadId = uploadId.Replace("/", string.Empty, StringComparison.Ordinal);
+        uploadId = uploadId.Replace("\\", string.Empty, StringComparison.Ordinal);
+
+        // Only allow alphanumeric characters, hyphens, and underscores
+        var allowedChars = uploadId.Where(c => char.IsLetterOrDigit(c) || c == '-' || c == '_').ToArray();
+        var sanitized = new string(allowedChars);
+
+        if (string.IsNullOrWhiteSpace(sanitized))
+            throw new ArgumentException("Upload ID contains only invalid characters", nameof(uploadId));
+
+        if (sanitized.Length > 128)
+            throw new ArgumentException("Upload ID is too long", nameof(uploadId));
+
+        return sanitized;
+    }
+
     private static async Task MergeChunksAsync(string destinationFile, IReadOnlyCollection<string> chunkFiles, CancellationToken cancellationToken)
     {
         await using var destination = new FileStream(destinationFile, FileMode.Create, FileAccess.Write, FileShare.None, bufferSize: MergeBufferSize, useAsync: true);
 
@@ -57,6 +57,13 @@ public virtual async Task<Result<BlobMetadata>> UploadAsync([FromForm] IFormFile
             return Result<BlobMetadata>.Fail(HttpStatusCode.BadRequest, "File payload is missing");
         }
 
+        // Validate file size if enabled
+        if (_options.EnableFileSizeValidation && _options.MaxFileSize > 0 && file.Length > _options.MaxFileSize)
+        {
+            return Result<BlobMetadata>.Fail(HttpStatusCode.RequestEntityTooLarge,
+                $"File size {file.Length} bytes exceeds maximum allowed size of {_options.MaxFileSize} bytes");
+        }
+
         try
         {
             return await Result.From(() => this.UploadFormFileAsync(Storage, file, cancellationToken: cancellationToken), cancellationToken);
@@ -164,6 +171,13 @@ public virtual async Task<Result> UploadChunkAsync([FromForm] FileUploadPayload
             return Result.Fail(HttpStatusCode.BadRequest, "UploadId is required");
         }
 
+        // Validate chunk size if enabled
+        if (_options.EnableFileSizeValidation && _options.MaxChunkSize > 0 && payload.File.Length > _options.MaxChunkSize)
+        {
+            return Result.Fail(HttpStatusCode.RequestEntityTooLarge,
+                $"Chunk size {payload.File.Length} bytes exceeds maximum allowed chunk size of {_options.MaxChunkSize} bytes");
+        }
+
         return await ChunkUploadService.AppendChunkAsync(payload, cancellationToken);
     }
 
@@ -228,6 +242,16 @@ public class StorageServerOptions
     /// </summary>
     public const int DefaultMultipartBoundaryLengthLimit = 70;
 
+    /// <summary>
+    /// Default maximum file size: 100 MB.
+    /// </summary>
+    public const long DefaultMaxFileSize = 100 * 1024 * 1024;
+
+    /// <summary>
+    /// Default maximum chunk size: 10 MB.
+    /// </summary>
+    public const long DefaultMaxChunkSize = 10 * 1024 * 1024;
+
     /// <summary>
     /// Gets or sets a value indicating whether range processing is enabled for streaming responses.
     /// </summary>
@@ -242,4 +266,22 @@ public class StorageServerOptions
     /// Gets or sets the maximum allowed length for multipart boundaries when parsing raw upload streams.
     /// </summary>
     public int MultipartBoundaryLengthLimit { get; set; } = DefaultMultipartBoundaryLengthLimit;
+
+    /// <summary>
+    /// Gets or sets the maximum file size in bytes that can be uploaded. Set to 0 to disable the limit.
+    /// Default is 100 MB.
+    /// </summary>
+    public long MaxFileSize { get; set; } = DefaultMaxFileSize;
+
+    /// <summary>
+    /// Gets or sets the maximum chunk size in bytes for chunk uploads. Set to 0 to disable the limit.
+    /// Default is 10 MB.
+    /// </summary>
+    public long MaxChunkSize { get; set; } = DefaultMaxChunkSize;
+
+    /// <summary>
+    /// Gets or sets whether file size validation is enabled.
+    /// Default is true.
+    /// </summary>
+    public bool EnableFileSizeValidation { get; set; } = true;
 }
@@ -131,8 +131,11 @@ public void Close()
 
     public async Task<LocalFile> CopyFromStreamAsync(Stream stream, CancellationToken cancellationToken = default)
     {
-        var fs = FileStream;
-        await stream.CopyToAsync(fs, cancellationToken);
+        await using var fs = FileStream;
+        fs.SetLength(0);
+        fs.Position = 0;
+        await stream.CopyToAsync(fs, cancellationToken).ConfigureAwait(false);
+        await fs.FlushAsync(cancellationToken).ConfigureAwait(false);
         return this;
     }
 
@@ -180,6 +183,11 @@ public static LocalFile FromTempFile()
         return new LocalFile();
     }
 
+    public Stream OpenReadStream(bool disposeOwner = true)
+    {
+        return new LocalFileReadStream(this, disposeOwner);
+    }
+
     #region Read
 
     public string ReadAllText()
@@ -304,4 +312,136 @@ public Task WriteAllBytesAsync(byte[] bytes, CancellationToken cancellationToken
     }
 
     #endregion
-}
+
+    private sealed class LocalFileReadStream : Stream
+    {
+        private readonly LocalFile _owner;
+        private readonly FileStream _stream;
+        private readonly bool _disposeOwner;
+        private bool _disposed;
+
+        public LocalFileReadStream(LocalFile owner, bool disposeOwner)
+        {
+            _owner = owner;
+            _disposeOwner = disposeOwner;
+            _stream = new FileStream(owner.FilePath, new FileStreamOptions
+            {
+                Mode = FileMode.Open,
+                Access = FileAccess.Read,
+                Share = FileShare.Read,
+                Options = FileOptions.Asynchronous
+            });
+        }
+
+        public override bool CanRead => _stream.CanRead;
+
+        public override bool CanSeek => _stream.CanSeek;
+
+        public override bool CanWrite => _stream.CanWrite;
+
+        public override long Length => _stream.Length;
+
+        public override long Position
+        {
+            get => _stream.Position;
+            set => _stream.Position = value;
+        }
+
+        public override void Flush() => _stream.Flush();
+
+        public override Task FlushAsync(CancellationToken cancellationToken)
+        {
+            return _stream.FlushAsync(cancellationToken);
+        }
+
+        public override int Read(byte[] buffer, int offset, int count)
+        {
+            return _stream.Read(buffer, offset, count);
+        }
+
+        public override int Read(Span<byte> buffer)
+        {
+            return _stream.Read(buffer);
+        }
+
+        public override ValueTask<int> ReadAsync(Memory<byte> buffer, CancellationToken cancellationToken = default)
+        {
+            return _stream.ReadAsync(buffer, cancellationToken);
+        }
+
+        public override Task<int> ReadAsync(byte[] buffer, int offset, int count, CancellationToken cancellationToken)
+        {
+            return _stream.ReadAsync(buffer, offset, count, cancellationToken);
+        }
+
+        public override long Seek(long offset, SeekOrigin origin)
+        {
+            return _stream.Seek(offset, origin);
+        }
+
+        public override void SetLength(long value)
+        {
+            _stream.SetLength(value);
+        }
+
+        public override void Write(byte[] buffer, int offset, int count)
+        {
+            _stream.Write(buffer, offset, count);
+        }
+
+        public override void Write(ReadOnlySpan<byte> buffer)
+        {
+            _stream.Write(buffer);
+        }
+
+        public override Task WriteAsync(byte[] buffer, int offset, int count, CancellationToken cancellationToken)
+        {
+            return _stream.WriteAsync(buffer, offset, count, cancellationToken);
+        }
+
+        public override ValueTask WriteAsync(ReadOnlyMemory<byte> buffer, CancellationToken cancellationToken = default)
+        {
+            return _stream.WriteAsync(buffer, cancellationToken);
+        }
+
+        protected override void Dispose(bool disposing)
+        {
+            if (_disposed)
+            {
+                base.Dispose(disposing);
+                return;
+            }
+
+            if (disposing)
+            {
+                _stream.Dispose();
+
+                if (_disposeOwner)
+                {
+                    _owner.Dispose();
+                }
+            }
+
+            _disposed = true;
+            base.Dispose(disposing);
+        }
+
+        public override async ValueTask DisposeAsync()
+        {
+            if (_disposed)
+            {
+                await ValueTask.CompletedTask;
+                return;
+            }
+
+            await _stream.DisposeAsync();
+
+            if (_disposeOwner)
+            {
+                await _owner.DisposeAsync();
+            }
+
+            _disposed = true;
+        }
+    }
+}
@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 
 namespace ManagedCode.Storage.VirtualFileSystem.Core;
 
@@ -95,6 +96,14 @@ public string ToBlobKey()
     /// </summary>
     private static string NormalizePath(string path)
     {
+        // Security: Check for null bytes (potential security issue)
+        if (path.Contains('\0'))
+            throw new ArgumentException("Path contains null bytes", nameof(path));
+
+        // Security: Check for control characters
+        if (path.Any(c => char.IsControl(c) && c != '\t' && c != '\r' && c != '\n'))
+            throw new ArgumentException("Path contains control characters", nameof(path));
+
         // 1. Replace backslashes with forward slashes
         path = path.Replace('\\', '/');