Remove UploadedFile path prefix validation (!90250) · Merge requests · GitLab.org / GitLab

Jacob Vosmaer requested to merge jv-uploaded-file-remove-validation into master Jun 15, 2022

What does this MR do and why?

The UploadedFile.from_params function contained a check that allow-listed the paths of files we were building handles for. Over time this has grown into a list of all possible directories where Workhorse may drop temporary files for Rails. Because the paths are now passed from Workhorse to Rails in signed messages, we do not really need this path check anymore.

This change removes the check because the signature check provides enough validation.

While we are here, also remove the legacy code in Workhorse that sends the parameters in unsigned form. These unsigned parameters are being ignored by Rails anyway.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jun 15, 2022 by Jacob Vosmaer

Remove UploadedFile path prefix validation

What does this MR do and why?

MR acceptance checklist

Merge request reports