Return 404 if model id wasn't passed to UploadsController

From the security perspective, we incorrectly return 200 when id wasn't passed. That allows Workhorse to process the file that is being uploaded. It can cause massive exhaustion. Changelog: security

Return 404 if model id wasn't passed to UploadsController
From the security perspective, we incorrectly return 200 when id wasn't passed. That allows Workhorse to process the file that is being uploaded. It can cause massive exhaustion. Changelog: security
c5fac895 · Igor Drozdov · 7546a09e · c5fac895 · c5fac895 · c5fac895
Commit c5fac895 authored Sep 27, 2021 by Igor Drozdov
3 changed files
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -36,14 +36,10 @@ class UploadsController < ApplicationController
  end

  def find_model
-    return unless params[:id]
-
    upload_model_class.find(params[:id])
  end

  def authorize_access!
-    return unless model
-
    authorized =
      case model
      when Note
@@ -68,8 +64,6 @@ class UploadsController < ApplicationController
  end

  def authorize_create_access!
-    return unless model
-
    authorized =
      case model
      when User

--- a/spec/controllers/uploads_controller_spec.rb
+++ b/spec/controllers/uploads_controller_spec.rb
@@ -666,6 +666,6 @@ RSpec.describe UploadsController do
  def post_authorize(verified: true)
    request.headers.merge!(workhorse_internal_api_request_header) if verified

-    post :authorize, params: { model: 'personal_snippet', id: model.id }, format: :json
+    post :authorize, params: params, format: :json
  end
 end
--- a/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb
@@ -323,6 +323,16 @@ RSpec.shared_examples 'handle uploads authorize' do
      end
    end

+    context 'when id is not passed as a param' do
+      let(:params) { super().without(:id) }
+
+      it 'returns 404 status' do
+        post_authorize
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+
    context 'when a user can upload a file' do
      before do
        sign_in(user)