Allow packages multipart uploads
What does this MR do?
Multipart uploads have some restrictions implemented in the GitLab multipart middleware (see https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/middleware/multipart.rb#L87-91).
Recently, we launched the support for NuGet packages. Those packages are uploaded by nuget
using a multipart upload. As the package storage path is not in the allowed_paths
structure, the upload is rejected.
Note that this happens when not using the workhorse acceleration direct upload. This is why, this issue is not happening on GitLab.com. In short, we have this possible configurations for uploads:
Object Storage | Direct Upload Enabled | Direct Upload Disabled |
---|---|---|
Enabled | works | fails |
Disabled | fails | fails |
This MR adds package storage path in the allowed_paths
to fix the above fails
cases and the relevant tests.
See #208744 (closed)
Design choices
- Since upload paths are quite sensitve, the
allowed_paths
is updated only and only if where not using workhorse direct uploads. - Add relevant tests for
Gitlab::Middleware::Multipart
and in thenuget_packages_shared_examples
.
Screenshots
Failing upload
$ nuget push Bananas.1.0.0.nupkg -source local
WARNING: No API Key was provided and no API Key could be found for 'http://gitlab.local:8000/api/v4/projects/1/packages/nuget'. To save an API Key for a source use the 'setApiKey' command.
Pushing Bananas.1.0.0.nupkg to 'http://gitlab.local:8000/api/v4/projects/1/packages/nuget'...
PUT http://gitlab.local:8000/api/v4/projects/1/packages/nuget/
InternalServerError http://gitlab.local:8000/api/v4/projects/1/packages/nuget/ 3117ms
PUT http://gitlab.local:8000/api/v4/projects/1/packages/nuget/
InternalServerError http://gitlab.local:8000/api/v4/projects/1/packages/nuget/ 2470ms
PUT http://gitlab.local:8000/api/v4/projects/1/packages/nuget/
InternalServerError http://gitlab.local:8000/api/v4/projects/1/packages/nuget/ 924ms
Response status code does not indicate success: 500 (Internal Server Error).
Upload fixed
$ nuget push Bananas.1.0.0.nupkg -source local
WARNING: No API Key was provided and no API Key could be found for 'http://gitlab.local:8000/api/v4/projects/1/packages/nuget'. To save an API Key for a source use the 'setApiKey' command.
Pushing Bananas.1.0.0.nupkg to 'http://gitlab.local:8000/api/v4/projects/1/packages/nuget'...
PUT http://gitlab.local:8000/api/v4/projects/1/packages/nuget/
Created http://gitlab.local:8000/api/v4/projects/1/packages/nuget/ 3456ms
Your package was pushed.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team