Remove the conditional inclusion of packages upload paths in multipart.rb
multipart.rb#allowed_pathsis the function used to check which paths are allowed for file uploads.
- The package upload path is conditionally added to
multipart.rb#allowed_paths. It depends if the package feature is enabled and if object storage (with direct upload) is enabled.
- The issue is that Git LFS is also behind a feature config, yet the
LfsObjectUploaderpath is added unconditionally.
- Basically, we have the same conditions between the two uploads (
::Packages::PackageFileUploader) but yet they are not treated the same way for inclusion in
Choose one of the two:
- Conditionally add
- Upsides: we limit
multipart.rb#allowed_pathsgiven the configuration used. Less paths in
multipart.rb#allowed_paths= less chances to read uploaded files from the wrong path
- Downsides: we have to run more conditions on upload requests. This is a middleware, it shouldn't add a significant delay in the request. Perhaps, there is a way to read the config once and statically build
- Unconditionally add
- Upsides: very easy to implement. Less conditions to check = faster code execution
- Downsides: those paths will be allowed even though their corresponding feature is disabled in the config.
- Break Package/git LFS uploads.