From 667f229d8ca417f412dd8a7c35f143514e0dd75d Mon Sep 17 00:00:00 2001 From: kolaente Date: Thu, 9 Apr 2026 17:15:24 +0200 Subject: [PATCH] refactor(files): derive attachment size from content in sibling callers Task/project duplication and the Todoist migration were passing stored or API-reported sizes into NewAttachment. Derive the size from the actual buffered content so every caller matches the hardened boundary behaviour (GHSA-qh78-rvg3-cv54 defence-in-depth). --- pkg/models/project_duplicate.go | 2 +- pkg/models/task_duplicate.go | 2 +- pkg/modules/migration/todoist/todoist.go | 2 +- pkg/modules/migration/todoist/todoist_test.go | 7 ++++--- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/pkg/models/project_duplicate.go b/pkg/models/project_duplicate.go index d0f913210..2ad0857ec 100644 --- a/pkg/models/project_duplicate.go +++ b/pkg/models/project_duplicate.go @@ -404,7 +404,7 @@ func duplicateTasks(s *xorm.Session, doer web.Auth, ld *ProjectDuplicate) (newTa _ = attachment.File.File.Close() } - err = attachment.NewAttachment(s, bytes.NewReader(buf), attachment.File.Name, attachment.File.Size, doer) + err = attachment.NewAttachment(s, bytes.NewReader(buf), attachment.File.Name, uint64(len(buf)), doer) if err != nil { return nil, err } diff --git a/pkg/models/task_duplicate.go b/pkg/models/task_duplicate.go index 7d3bde995..175834c7a 100644 --- a/pkg/models/task_duplicate.go +++ b/pkg/models/task_duplicate.go @@ -138,7 +138,7 @@ func (td *TaskDuplicate) Create(s *xorm.Session, doer web.Auth) (err error) { if err != nil { return err } - err = attachment.NewAttachment(s, bytes.NewReader(buf), attachment.File.Name, attachment.File.Size, doer) + err = attachment.NewAttachment(s, bytes.NewReader(buf), attachment.File.Name, uint64(len(buf)), doer) if err != nil { return err } diff --git a/pkg/modules/migration/todoist/todoist.go b/pkg/modules/migration/todoist/todoist.go index e7a9098b5..d96338197 100644 --- a/pkg/modules/migration/todoist/todoist.go +++ b/pkg/modules/migration/todoist/todoist.go @@ -441,7 +441,7 @@ func convertTodoistToVikunja(sync *sync, doneItems map[string]*doneItem) (fullVi File: &files.File{ Name: n.FileAttachment.FileName, Mime: n.FileAttachment.FileType, - Size: uint64(n.FileAttachment.FileSize), + Size: uint64(buf.Len()), Created: n.Posted, // We directly pass the file contents here to have a way to link the attachment to the file later. // Because we don't have an ID for our task at this point of the migration, we cannot just throw all diff --git a/pkg/modules/migration/todoist/todoist_test.go b/pkg/modules/migration/todoist/todoist_test.go index df95ecbef..01a7a114b 100644 --- a/pkg/modules/migration/todoist/todoist_test.go +++ b/pkg/modules/migration/todoist/todoist_test.go @@ -558,9 +558,10 @@ func TestConvertTodoistToVikunja(t *testing.T) { Attachments: []*models.TaskAttachment{ { File: &files.File{ - Name: "file.md", - Mime: "text/plain", - Size: 12345, + Name: "file.md", + Mime: "text/plain", + // Size from content, not API metadata (GHSA-qh78-rvg3-cv54 defense-in-depth). + Size: uint64(len(exampleFile)), Created: time1, FileContent: exampleFile, },