Upload custom emoji using direct upload
In #23798 (comment 374028934) we've been discussing on how to upload the images for Custom Emoji.
To make it work with Cloud Native and Object Storage, changes in different components are needed (including in gitlab-workhorse).
The process to do so is currently described in the direct_upload
development guidelines.
Security concerns
When the GraphQL endpoint was added to allow Custom Emoji from an external URL, security concerns were raised:
For now, the external must be set to
true
as stated in !37911 (diffs), so the validation next line is securevalidates :file, public_url: true, if: :external
.I would pay extra attention when we allow users to set external to
false
in the future, to make sure we perform additional validation on the value offile
to prevent Server Side Request Forgery/Local File Inclusion.