Add latest changes from gitlab-org/gitlab@master

4 files changed, 57 insertions, 7 deletions

diff --git a/app/controllers/concerns/uploads_actions.rb b/app/controllers/concerns/uploads_actions.rb
index 0d64a685065..d747d397e20 100644
--- a/app/controllers/concerns/uploads_actions.rb
+++ b/app/controllers/concerns/uploads_actions.rb
@@ -11,7 +11,7 @@ module UploadsActions
     prepend_before_action :set_request_format_from_path_extension
     rescue_from FileUploader::InvalidSecret, with: :render_404
 
-    rescue_from ::Gitlab::Utils::PathTraversalAttackError do
+    rescue_from ::Gitlab::PathTraversal::PathTraversalAttackError do
       head :bad_request
     end
   end
@@ -37,7 +37,7 @@ module UploadsActions
   #   - or redirect to its URL
   #
   def show
-    Gitlab::Utils.check_path_traversal!(params[:filename])
+    Gitlab::PathTraversal.check_path_traversal!(params[:filename])
 
     return render_404 unless uploader&.exists?
 
diff --git a/app/controllers/groups/dependency_proxy_for_containers_controller.rb b/app/controllers/groups/dependency_proxy_for_containers_controller.rb
index 1b1aed0ec2e..1fc631f299b 100644
--- a/app/controllers/groups/dependency_proxy_for_containers_controller.rb
+++ b/app/controllers/groups/dependency_proxy_for_containers_controller.rb
@@ -121,7 +121,7 @@ class Groups::DependencyProxyForContainersController < ::Groups::DependencyProxy
   end
 
   def manifest_file_name
-    @manifest_file_name ||= Gitlab::Utils.check_path_traversal!("#{image}:#{tag}.json")
+    @manifest_file_name ||= Gitlab::PathTraversal.check_path_traversal!("#{image}:#{tag}.json")
   end
 
   def group
diff --git a/app/controllers/projects/releases_controller.rb b/app/controllers/projects/releases_controller.rb
index 7c569df7267..6a6a47bc33d 100644
--- a/app/controllers/projects/releases_controller.rb
+++ b/app/controllers/projects/releases_controller.rb
@@ -74,6 +74,6 @@ class Projects::ReleasesController < Projects::ApplicationController
   end
 
   def validate_suffix_path
-    Gitlab::Utils.check_path_traversal!(params[:suffix_path]) if params[:suffix_path]
+    Gitlab::PathTraversal.check_path_traversal!(params[:suffix_path]) if params[:suffix_path]
   end
 end
diff --git a/app/controllers/repositories/lfs_api_controller.rb b/app/controllers/repositories/lfs_api_controller.rb
index d52ae723eee..32119ddf89e 100644
--- a/app/controllers/repositories/lfs_api_controller.rb
+++ b/app/controllers/repositories/lfs_api_controller.rb
@@ -6,6 +6,10 @@ module Repositories
     include Gitlab::Utils::StrongMemoize
 
     LFS_TRANSFER_CONTENT_TYPE = 'application/octet-stream'
+    # Downloading directly with presigned URLs via batch requests
+    # require longer expire time.
+    # The 1h should be enough to download 100 objects.
+    LFS_DIRECT_BATCH_EXPIRE_IN = 3600.seconds
 
     skip_before_action :lfs_check_access!, only: [:deprecated]
     before_action :lfs_check_batch_operation!, only: [:batch]
@@ -22,7 +26,11 @@ module Repositories
       end
 
       if download_request?
-        render json: { objects: download_objects! }, content_type: LfsRequest::CONTENT_TYPE
+        if Feature.enabled?(:lfs_batch_direct_downloads, project)
+          render json: { objects: download_objects! }, content_type: LfsRequest::CONTENT_TYPE
+        else
+          render json: { objects: legacy_download_objects! }, content_type: LfsRequest::CONTENT_TYPE
+        end
       elsif upload_request?
         render json: { objects: upload_objects! }, content_type: LfsRequest::CONTENT_TYPE
       else
@@ -52,11 +60,34 @@ module Repositories
     end
 
     def download_objects!
+      existing_oids = project.lfs_objects
+        .for_oids(objects_oids)
+        .index_by(&:oid)
+
+      objects.each do |object|
+        if lfs_object = existing_oids[object[:oid]]
+          object[:actions] = download_actions(object, lfs_object)
+
+          if Guest.can?(:download_code, project)
+            object[:authenticated] = true
+          end
+        else
+          object[:error] = {
+            code: 404,
+            message: _("Object does not exist on the server or you don't have permissions to access it")
+          }
+        end
+      end
+
+      objects
+    end
+
+    def legacy_download_objects!
       existing_oids = project.lfs_objects_oids(oids: objects_oids)
 
       objects.each do |object|
         if existing_oids.include?(object[:oid])
-          object[:actions] = download_actions(object)
+          object[:actions] = proxy_download_actions(object)
 
           if Guest.can?(:download_code, project)
             object[:authenticated] = true
@@ -85,7 +116,26 @@ module Repositories
       objects
     end
 
-    def download_actions(object)
+    def download_actions(object, lfs_object)
+      if lfs_object.file.file_storage? || lfs_object.file.class.proxy_download_enabled?
+        proxy_download_actions(object)
+      else
+        direct_download_actions(lfs_object)
+      end
+    end
+
+    def direct_download_actions(lfs_object)
+      {
+        download: {
+          href: lfs_object.file.url(
+            content_type: "application/octet-stream",
+            expire_at: LFS_DIRECT_BATCH_EXPIRE_IN.since
+          )
+        }
+      }
+    end
+
+    def proxy_download_actions(object)
       {
         download: {
           href: "#{project.http_url_to_repo}/gitlab-lfs/objects/#{object[:oid]}",