diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-06-01 18:07:25 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-06-01 18:07:25 +0300 |
commit | fe09bd4d74025ea828425c6ffb0236549d51163f (patch) | |
tree | 68ebb6980ef07bcac528f83d927809b4d063c002 /app/controllers | |
parent | cf19a51fc5711144b26f7123c14f9b64a7597195 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/controllers')
4 files changed, 57 insertions, 7 deletions
diff --git a/app/controllers/concerns/uploads_actions.rb b/app/controllers/concerns/uploads_actions.rb index 0d64a685065..d747d397e20 100644 --- a/app/controllers/concerns/uploads_actions.rb +++ b/app/controllers/concerns/uploads_actions.rb @@ -11,7 +11,7 @@ module UploadsActions prepend_before_action :set_request_format_from_path_extension rescue_from FileUploader::InvalidSecret, with: :render_404 - rescue_from ::Gitlab::Utils::PathTraversalAttackError do + rescue_from ::Gitlab::PathTraversal::PathTraversalAttackError do head :bad_request end end @@ -37,7 +37,7 @@ module UploadsActions # - or redirect to its URL # def show - Gitlab::Utils.check_path_traversal!(params[:filename]) + Gitlab::PathTraversal.check_path_traversal!(params[:filename]) return render_404 unless uploader&.exists? diff --git a/app/controllers/groups/dependency_proxy_for_containers_controller.rb b/app/controllers/groups/dependency_proxy_for_containers_controller.rb index 1b1aed0ec2e..1fc631f299b 100644 --- a/app/controllers/groups/dependency_proxy_for_containers_controller.rb +++ b/app/controllers/groups/dependency_proxy_for_containers_controller.rb @@ -121,7 +121,7 @@ class Groups::DependencyProxyForContainersController < ::Groups::DependencyProxy end def manifest_file_name - @manifest_file_name ||= Gitlab::Utils.check_path_traversal!("#{image}:#{tag}.json") + @manifest_file_name ||= Gitlab::PathTraversal.check_path_traversal!("#{image}:#{tag}.json") end def group diff --git a/app/controllers/projects/releases_controller.rb b/app/controllers/projects/releases_controller.rb index 7c569df7267..6a6a47bc33d 100644 --- a/app/controllers/projects/releases_controller.rb +++ b/app/controllers/projects/releases_controller.rb @@ -74,6 +74,6 @@ class Projects::ReleasesController < Projects::ApplicationController end def validate_suffix_path - Gitlab::Utils.check_path_traversal!(params[:suffix_path]) if params[:suffix_path] + Gitlab::PathTraversal.check_path_traversal!(params[:suffix_path]) if params[:suffix_path] end end diff --git a/app/controllers/repositories/lfs_api_controller.rb b/app/controllers/repositories/lfs_api_controller.rb index d52ae723eee..32119ddf89e 100644 --- a/app/controllers/repositories/lfs_api_controller.rb +++ b/app/controllers/repositories/lfs_api_controller.rb @@ -6,6 +6,10 @@ module Repositories include Gitlab::Utils::StrongMemoize LFS_TRANSFER_CONTENT_TYPE = 'application/octet-stream' + # Downloading directly with presigned URLs via batch requests + # require longer expire time. + # The 1h should be enough to download 100 objects. + LFS_DIRECT_BATCH_EXPIRE_IN = 3600.seconds skip_before_action :lfs_check_access!, only: [:deprecated] before_action :lfs_check_batch_operation!, only: [:batch] @@ -22,7 +26,11 @@ module Repositories end if download_request? - render json: { objects: download_objects! }, content_type: LfsRequest::CONTENT_TYPE + if Feature.enabled?(:lfs_batch_direct_downloads, project) + render json: { objects: download_objects! }, content_type: LfsRequest::CONTENT_TYPE + else + render json: { objects: legacy_download_objects! }, content_type: LfsRequest::CONTENT_TYPE + end elsif upload_request? render json: { objects: upload_objects! }, content_type: LfsRequest::CONTENT_TYPE else @@ -52,11 +60,34 @@ module Repositories end def download_objects! + existing_oids = project.lfs_objects + .for_oids(objects_oids) + .index_by(&:oid) + + objects.each do |object| + if lfs_object = existing_oids[object[:oid]] + object[:actions] = download_actions(object, lfs_object) + + if Guest.can?(:download_code, project) + object[:authenticated] = true + end + else + object[:error] = { + code: 404, + message: _("Object does not exist on the server or you don't have permissions to access it") + } + end + end + + objects + end + + def legacy_download_objects! existing_oids = project.lfs_objects_oids(oids: objects_oids) objects.each do |object| if existing_oids.include?(object[:oid]) - object[:actions] = download_actions(object) + object[:actions] = proxy_download_actions(object) if Guest.can?(:download_code, project) object[:authenticated] = true @@ -85,7 +116,26 @@ module Repositories objects end - def download_actions(object) + def download_actions(object, lfs_object) + if lfs_object.file.file_storage? || lfs_object.file.class.proxy_download_enabled? + proxy_download_actions(object) + else + direct_download_actions(lfs_object) + end + end + + def direct_download_actions(lfs_object) + { + download: { + href: lfs_object.file.url( + content_type: "application/octet-stream", + expire_at: LFS_DIRECT_BATCH_EXPIRE_IN.since + ) + } + } + end + + def proxy_download_actions(object) { download: { href: "#{project.http_url_to_repo}/gitlab-lfs/objects/#{object[:oid]}", |