Merge branch 'upload-xss-access-control' into 'master'

Fix note attachments XSS and access control

Replaces the reverted #1528, as proposed in https://gitlab.com/gitlab-org/omnibus-gitlab/issues/434, as discussed with @dzaporozhets and as summarized in #2032.

@marin Could you take a look at the nginx config and apply it to Omnibus once this gets merged?

See merge request !1553

2 files changed, 32 insertions, 0 deletions

diff --git a/config/initializers/static_files.rb b/config/initializers/static_files.rb
new file mode 100644
index 00000000000..bc4fe14bc1a
--- /dev/null
+++ b/config/initializers/static_files.rb
@@ -0,0 +1,18 @@
+begin
+  app = Rails.application
+
+  # The `ActionDispatch::Static` middleware intercepts requests for static files 
+  # by checking if they exist in the `/public` directory. 
+  # We're replacing it with our `Gitlab::Middleware::Static` that does the same,
+  # except ignoring `/uploads`, letting those go through to the GitLab Rails app.
+
+  app.config.middleware.swap(
+    ActionDispatch::Static, 
+    Gitlab::Middleware::Static, 
+    app.paths["public"].first, 
+    app.config.static_cache_control
+  )
+rescue
+  # If ActionDispatch::Static wasn't loaded onto the stack (like in production), 
+  # an exception is raised.
+end
diff --git a/config/routes.rb b/config/routes.rb
index 101c5f3c362..a6ffd28b2ea 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -75,7 +75,21 @@ Gitlab::Application.routes.draw do
     end
   end
 
+  #
+  # Uploads
+  #
 
+  scope path: :uploads do
+    # Note attachments and User/Group/Project avatars
+    get ":model/:mounted_as/:id/:filename", 
+        to:           "uploads#show", 
+        constraints:  { model: /note|user|group|project/, mounted_as: /avatar|attachment/, filename: /.+/ }
+
+    # Project markdown uploads
+    get ":id/:secret/:filename", 
+        to:           "projects/uploads#show", 
+        constraints:  { id: /[a-zA-Z.0-9_\-]+\/[a-zA-Z.0-9_\-]+/, filename: /.+/ }
+  end
 
   #
   # Explore area