diff options
author | Jan Provaznik <jprovaznik@gitlab.com> | 2018-07-31 22:28:48 +0200 |
---|---|---|
committer | Jan Provaznik <jprovaznik@gitlab.com> | 2018-08-21 17:39:46 +0200 |
commit | 4ca9f3b417e32c557c182f1ee45b3c3f694174db (patch) | |
tree | d603934a7f1e2479da2ea914aa50f3ab14b27030 /spec/lib/gitlab/middleware | |
parent | d2590b154228ed49dd4a949c889fb6234343ec94 (diff) | |
download | gitlab-ce-4ca9f3b417e32c557c182f1ee45b3c3f694174db.tar.gz |
Add public/uploads/tmp to allowed upload pathsjprovazn-fix-form-uploads
When direct_upload is enabled and a for file is being uploaded,
then workhorse uses `public/uploads/tmp` path. If `uploads.storage_path`
i sset to a different directory, then upload fails because
`public/uploads/tmp` is not in allowed paths.
Diffstat (limited to 'spec/lib/gitlab/middleware')
-rw-r--r-- | spec/lib/gitlab/middleware/multipart_spec.rb | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/spec/lib/gitlab/middleware/multipart_spec.rb b/spec/lib/gitlab/middleware/multipart_spec.rb index f788f8ee276..daf454665b0 100644 --- a/spec/lib/gitlab/middleware/multipart_spec.rb +++ b/spec/lib/gitlab/middleware/multipart_spec.rb @@ -75,6 +75,26 @@ describe Gitlab::Middleware::Multipart do it_behaves_like 'multipart upload files' end + it 'allows files in uploads/tmp directory' do + Dir.mktmpdir do |dir| + uploads_dir = File.join(dir, 'public/uploads/tmp') + FileUtils.mkdir_p(uploads_dir) + + allow(Rails).to receive(:root).and_return(dir) + allow(Dir).to receive(:tmpdir).and_return(File.join(Dir.tmpdir, 'tmpsubdir')) + + Tempfile.open('top-level', uploads_dir) do |tempfile| + env = post_env({ 'file' => tempfile.path }, { 'file.name' => original_filename, 'file.path' => tempfile.path }, Gitlab::Workhorse.secret, 'gitlab-workhorse') + + expect(app).to receive(:call) do |env| + expect(Rack::Request.new(env).params['file']).to be_a(::UploadedFile) + end + + middleware.call(env) + end + end + end + it 'allows symlinks for uploads dir' do Tempfile.open('two-levels') do |tempfile| symlinked_dir = '/some/dir/uploads' |