fix(dataset): enforce max file size for multipart upload

[carloea2]

What changes were proposed in this PR?

• Enforce the single_file_upload_max_size_mib limit for multipart uploads at init by requiring fileSizeBytes + partSizeBytes and rejecting when the total declared file size exceeds the configured max.
• Persist multipart sizing metadata in DB by adding file_size_bytes and part_size_bytes to dataset_upload_session, plus constraints to keep them valid.
• Harden uploadPart against size bypasses by computing the expected part size from the stored session metadata and rejecting any request whose Content-Length does not exactly match the expected size (including the final part).
• Add a final server-side safety check at finish: after lakeFS reports the completed object size, compare to the max and roll back the object if it exceeds the limit.
• Update frontend init call to pass fileSizeBytes and partSizeBytes when initializing multipart uploads.
• Add DB migration (sql/updates/18.sql) to apply the schema change on existing deployments.

Any related issues, documentation, discussions?

Close #4147

How was this PR tested?

• Added/updated unit tests for multipart upload validation and malicious cases, including:

  • max upload size enforced at init (over/equals boundaries + 2-part boundary)
  • header poisoning and Content-Length mismatch rejection (non-numeric/overflow/mismatch)
  • finish rollback when max is tightened before finish (oversized object must not remain accessible)

Was this PR authored or co-authored using generative AI tooling?

Co-authored-by: ChatGPT

[carloea2]

@xuang7 @aicam @chenlica

[chenlica]

@xuang7 Please be the first reviewer before @aicam can do it.

[xuang7]

Thanks for the PR. LGTM!

[aicam]

I think life cycle of upload session records needs better design, if needed, we can meet

[aicam]

LGTM!, thanks for the great PR

[carloea2]

@aicam Can you run the testing? Thanks