Add public/uploads/tmp to allowed upload paths

When direct_upload is enabled and a for file is being uploaded, then workhorse uses `public/uploads/tmp` path. If `uploads.storage_path` i sset to a different directory, then upload fails because `public/uploads/tmp` is not in allowed paths.
2018-07-31 22:28:48 +02:00 · 2018-07-31 22:28:48 +02:00 · 4ca9f3b417
commit 4ca9f3b417
parent d2590b1542
3 changed files with 32 additions and 3 deletions
--- a/changelogs/unreleased/jprovazn-fix-form-uploads.yml
+++ b/changelogs/unreleased/jprovazn-fix-form-uploads.yml
@ -0,0 +1,5 @@
+---
+title: Accept upload files in public/uplaods/tmp when using accelerated uploads.
+merge_request:
+author:
+type: fixed
--- a/lib/gitlab/middleware/multipart.rb
+++ b/lib/gitlab/middleware/multipart.rb
@ -82,9 +82,13 @@ module Gitlab
        end

        def open_file(params, key)
-          ::UploadedFile.from_params(
-            params, key,
-            [FileUploader.root, Gitlab.config.uploads.storage_path])
+          allowed_paths = [
+            FileUploader.root,
+            Gitlab.config.uploads.storage_path,
+            File.join(Rails.root, 'public/uploads/tmp')
+          ]
+
+          ::UploadedFile.from_params(params, key, allowed_paths)
        end
      end

--- a/spec/lib/gitlab/middleware/multipart_spec.rb
+++ b/spec/lib/gitlab/middleware/multipart_spec.rb
@ -75,6 +75,26 @@ describe Gitlab::Middleware::Multipart do
    it_behaves_like 'multipart upload files'
  end

+  it 'allows files in uploads/tmp directory' do
+    Dir.mktmpdir do |dir|
+      uploads_dir = File.join(dir, 'public/uploads/tmp')
+      FileUtils.mkdir_p(uploads_dir)
+
+      allow(Rails).to receive(:root).and_return(dir)
+      allow(Dir).to receive(:tmpdir).and_return(File.join(Dir.tmpdir, 'tmpsubdir'))
+
+      Tempfile.open('top-level', uploads_dir) do |tempfile|
+        env = post_env({ 'file' => tempfile.path }, { 'file.name' => original_filename, 'file.path' => tempfile.path }, Gitlab::Workhorse.secret, 'gitlab-workhorse')
+
+        expect(app).to receive(:call) do |env|
+          expect(Rack::Request.new(env).params['file']).to be_a(::UploadedFile)
+        end
+
+        middleware.call(env)
+      end
+    end
+  end
+
  it 'allows symlinks for uploads dir' do
    Tempfile.open('two-levels') do |tempfile|
      symlinked_dir = '/some/dir/uploads'