Merge branch 'security-193100-ignore-duplicate-multipart-params' into 'master'

Ignore empty remote_id params from Workhorse See merge request gitlab-org/security/gitlab!314

Merge branch 'security-193100-ignore-duplicate-multipart-params' into 'master'
Ignore empty remote_id params from Workhorse See merge request gitlab-org/security/gitlab!314
111dc842 · GitLab Release Tools Bot · 58ceb471 · 666130a4 · 111dc842 · 111dc842
Commit 111dc842 authored Mar 24, 2020 by GitLab Release Tools Bot
5 changed files
--- a/GITLAB_WORKHORSE_VERSION
+++ b/GITLAB_WORKHORSE_VERSION
-8.27.0
+8.28.0
--- a/app/uploaders/object_storage.rb
+++ b/app/uploaders/object_storage.rb
@@ -318,7 +318,7 @@ module ObjectStorage
    def cache!(new_file = sanitized_file)
      # We intercept ::UploadedFile which might be stored on remote storage
      # We use that for "accelerated" uploads, where we store result on remote storage
-      if new_file.is_a?(::UploadedFile) && new_file.remote_id
+      if new_file.is_a?(::UploadedFile) && new_file.remote_id.present?
        return cache_remote_file!(new_file.remote_id, new_file.original_filename)
      end


--- a/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml
+++ b/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml
+---
+title: Ignore empty remote_id params from Workhorse accelerated uploads
+merge_request:
+author:
+type: security
--- a/spec/support/helpers/workhorse_helpers.rb
+++ b/spec/support/helpers/workhorse_helpers.rb
@@ -76,7 +76,7 @@ module WorkhorseHelpers
      "#{key}.size" => file.size
    }.tap do |params|
      params["#{key}.path"] = file.path if file.path
-      params["#{key}.remote_id"] = file.remote_id if file.respond_to?(:remote_id) && file.remote_id
+      params["#{key}.remote_id"] = file.remote_id if file.respond_to?(:remote_id) && file.remote_id.present?
    end
  end


--- a/spec/uploaders/object_storage_spec.rb
+++ b/spec/uploaders/object_storage_spec.rb
@@ -714,6 +714,19 @@ describe ObjectStorage do
          end
        end

+        context 'when empty remote_id is specified' do
+          let(:uploaded_file) do
+            UploadedFile.new(temp_file.path, remote_id: '')
+          end
+
+          it 'uses local storage' do
+            subject
+
+            expect(uploader).to be_file_storage
+            expect(uploader.object_store).to eq(described_class::Store::LOCAL)
+          end
+        end
+
        context 'when valid file is specified' do
          let(:uploaded_file) do
            UploadedFile.new(temp_file.path, filename: "my_file.txt", remote_id: "test/123123")