refactor(files): derive attachment size from content in sibling callers
Task/project duplication and the Todoist migration were passing stored or API-reported sizes into NewAttachment. Derive the size from the actual buffered content so every caller matches the hardened boundary behaviour (GHSA-qh78-rvg3-cv54 defence-in-depth).
This commit is contained in:
parent
94f42bd6b2
commit
667f229d8c
|
|
@ -404,7 +404,7 @@ func duplicateTasks(s *xorm.Session, doer web.Auth, ld *ProjectDuplicate) (newTa
|
|||
_ = attachment.File.File.Close()
|
||||
}
|
||||
|
||||
err = attachment.NewAttachment(s, bytes.NewReader(buf), attachment.File.Name, attachment.File.Size, doer)
|
||||
err = attachment.NewAttachment(s, bytes.NewReader(buf), attachment.File.Name, uint64(len(buf)), doer)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -138,7 +138,7 @@ func (td *TaskDuplicate) Create(s *xorm.Session, doer web.Auth) (err error) {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
err = attachment.NewAttachment(s, bytes.NewReader(buf), attachment.File.Name, attachment.File.Size, doer)
|
||||
err = attachment.NewAttachment(s, bytes.NewReader(buf), attachment.File.Name, uint64(len(buf)), doer)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -441,7 +441,7 @@ func convertTodoistToVikunja(sync *sync, doneItems map[string]*doneItem) (fullVi
|
|||
File: &files.File{
|
||||
Name: n.FileAttachment.FileName,
|
||||
Mime: n.FileAttachment.FileType,
|
||||
Size: uint64(n.FileAttachment.FileSize),
|
||||
Size: uint64(buf.Len()),
|
||||
Created: n.Posted,
|
||||
// We directly pass the file contents here to have a way to link the attachment to the file later.
|
||||
// Because we don't have an ID for our task at this point of the migration, we cannot just throw all
|
||||
|
|
|
|||
|
|
@ -558,9 +558,10 @@ func TestConvertTodoistToVikunja(t *testing.T) {
|
|||
Attachments: []*models.TaskAttachment{
|
||||
{
|
||||
File: &files.File{
|
||||
Name: "file.md",
|
||||
Mime: "text/plain",
|
||||
Size: 12345,
|
||||
Name: "file.md",
|
||||
Mime: "text/plain",
|
||||
// Size from content, not API metadata (GHSA-qh78-rvg3-cv54 defense-in-depth).
|
||||
Size: uint64(len(exampleFile)),
|
||||
Created: time1,
|
||||
FileContent: exampleFile,
|
||||
},
|
||||
|
|
|
|||
Loading…
Reference in New Issue