Disallow negative size values

packages/backend/src/api/APIError.js

@@ -220,6 +220,10 @@ module.exports = class APIError {
             status: 400,
             message: 'Missing fileinfo entry or BLOB for operation.',
         },
+        'invalid_file_metadata': {
+            status: 400,
+            message: 'Invalid file metadata.',
+        },
 
         // Open
         'no_suitable_app': {

packages/backend/src/routers/filesystem_api/batch/all.js

@@ -192,7 +192,11 @@ module.exports = eggspress('/batch', {
             }
 
             if ( fieldname === 'fileinfo' ) {
-                fileinfos.push(JSON.parse(value));
+                const fileinfo = JSON.parse(value);
+                if ( fileinfo.size < 0 ) {
+                    throw APIError.create('invalid_file_metadata');
+                }
+                fileinfos.push(fileinfo);
                 return;
             }