Add public/uploads/tmp to allowed upload paths

When direct_upload is enabled and a for file is being uploaded,
then workhorse uses `public/uploads/tmp` path. If `uploads.storage_path`
i sset to a different directory, then upload fails because
`public/uploads/tmp` is not in allowed paths.

1 files changed, 20 insertions, 0 deletions

diff --git a/spec/lib/gitlab/middleware/multipart_spec.rb b/spec/lib/gitlab/middleware/multipart_spec.rb
index f788f8ee276..daf454665b0 100644
--- a/spec/lib/gitlab/middleware/multipart_spec.rb
+++ b/spec/lib/gitlab/middleware/multipart_spec.rb
@@ -75,6 +75,26 @@ describe Gitlab::Middleware::Multipart do
     it_behaves_like 'multipart upload files'
   end
 
+  it 'allows files in uploads/tmp directory' do
+    Dir.mktmpdir do |dir|
+      uploads_dir = File.join(dir, 'public/uploads/tmp')
+      FileUtils.mkdir_p(uploads_dir)
+
+      allow(Rails).to receive(:root).and_return(dir)
+      allow(Dir).to receive(:tmpdir).and_return(File.join(Dir.tmpdir, 'tmpsubdir'))
+
+      Tempfile.open('top-level', uploads_dir) do |tempfile|
+        env = post_env({ 'file' => tempfile.path }, { 'file.name' => original_filename, 'file.path' => tempfile.path }, Gitlab::Workhorse.secret, 'gitlab-workhorse')
+
+        expect(app).to receive(:call) do |env|
+          expect(Rack::Request.new(env).params['file']).to be_a(::UploadedFile)
+        end
+
+        middleware.call(env)
+      end
+    end
+  end
+
   it 'allows symlinks for uploads dir' do
     Tempfile.open('two-levels') do |tempfile|
       symlinked_dir = '/some/dir/uploads'