Restrict LFS file download to project-bound objects
What does this MR do and why?
Related to: https://gitlab.com/gitlab-org/gitlab/-/issues/510292+
The original MR: Restrict LFS file download to project-bound obj... (!191723 - merged)
The problem
Previously, LfsStorageController#download
allowed any user with download_code permission on any project to download any globally stored LFS object, simply by knowing its SHA—regardless of whether the object belonged to the project.
This was possible because GitLab's LFS backend stores objects globally, indexed only by their oid, without verifying if they are linked to the project making the request.
The fix
This change ensures that only LFS objects explicitly linked to the project can be downloaded.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
This MR is backporting a bug fix, documentation update, or spec fix, previously merged in the default branch. -
The MR that fixed the bug on the default branch has been deployed to GitLab.com (not applicable for documentation or spec changes). -
This MR has a severity label assigned (if applicable). -
Set the milestone of the merge request to match the target backport branch version. -
This MR has been approved by a maintainer (only one approval is required). -
Ensure the e2e:test-on-omnibus-ee
job has either succeeded or been approved by a Software Engineer in Test.
Note to the merge request author and maintainer
If you have questions about the patch release process, please:
- Refer to the patch release runbook for engineers and maintainers for guidance.
- Ask questions on the
#releases
Slack channel (internal only).