Cannot create issue attachment via the API when using query parameter

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD

https://gitea.com

MIT License

43.27k stars 5.33k forks source link

Cannot create issue attachment via the API when using query parameter #30766

Closed Android-X13 closed 1 month ago

Android-X13 commented 2 months ago

Description

In previous versions I used to be able to create issue attachments via the API like so (as per the docs):

curl -X 'POST' "http://host/api/v1/repos/$org/$repo/issues/$index/assets?name=Test" \
  -H "Accept: application/json" \
  -H "Authorization: token $TOKEN" \
  -H "Content-Type: multipart/form-data" \
  -F "attachment=@test.jpg;type=image/jpeg"

However now the server responds:

"This file extension or type is not allowed to be uploaded."

The attachment is created fine if the name query parameter is removed.

Gitea Version

1.21.11

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Binary download, systemd

Database

None

KN4CK3R commented 2 months ago

I don't think there was a relevant change. But with name=Test you prevent a check of the filename extension. If you remove the name parameter, the upload filename test.jpg is used.

Android-X13 commented 2 months ago

I'm pretty sure I could use it in older versions with no problem... I don't remember which version though.

This is how the attachment looks now:

attachment

When using the name parameter, instead of the filename test.jpg it would show the name provided.

What is the point of the name parameter in the API docs if it's never used?

KN4CK3R commented 2 months ago

It is used and overrides the upload filename. If you pass name=test2.jpg your upload is named test2.jpg.

kemzeb commented 2 months ago

To add some clarification, the problem you are having is that when you pass name=Test we perform an extension check that honors what is provided in ALLOWED_TYPES in your app.ini's [attachment] section. If you don't explicitly define this key, we have a default that is used (see here for more details). Since Test doesn't have an extension that is known in this list, we will reject it.

You have a few options to solve this:

Use an extension that is allowed in your attachment name e.g Test.jpg
If you wish, you could allow all types by either giving the ALLOWED_TYPES key nothing or pass a */* (this is mentioned in the docs given above)

However, if you want to allow a file with no extension, this does not look possible currently given the code that I see. We don't accept empty entries in ALLOWED_TYPES and we always expect at least a . prefix when you pass an extension (e.g. we would allow .webp but ignore webp during verification).

Android-X13 commented 1 month ago

@kemzeb thanks for the info.

My intention was not to add a file with no extension. As I've already said above I thought that the name parameter just names the attachment in the web interface. I recall that this was the case in a previous version, but if I'm terribly mistaken then I guess the issue can be closed?

kemzeb commented 1 month ago

No problem.

After exploring the following commits:

This introduced the issue attachment POST API (2 years ago)
This introduced the function that the POST endpoint uses which performs the file extension check (3 years ago)
This introduced file extension checks to that function (4 years ago)

To me it looks like we have been performing these checks on the name query param every since the APIs inception.