Attach attachments of issues/comments in notification emails

[lunny]

When post issues or comments with attachments, some notification emails will be sent to related users. But the attachments is absent.

[craig-tx]

When you say 'absent' do you mean that the attachment link is there but not accessible? From what I observe the linked attachment requires authentication to view it - and of course the email client is not authenticated to Gitea (see screenshot).

What could be the workaround? Modify the configuration somehow so that attachments do not require authentication? Of course you would need to accept the security risk of making attachments publicly available.

[wxiaoguang]

The attachment URL is "https://xxxx/team/repo/attachments/222a65d6-b297-4477-bb9b-1c55e46dd4e9", so it won't be displayed unless the repository has public access.

The fix can be "Allow anonymous to access attachments in non-public repositories", but I do not know whether this change affects security concerns. From my side, I think it's OK.

[wxiaoguang]

Another more secure design can be:

Add a secret_seed column to attachments table, and generate a random secret for every attachment.

When a attachment should be accessed without authentication, use a URL like "http://.../attachments/xxxxx?timestamp=yyyyyy&sign=zzzzzzzz", the sign is calculated by secret_seed and timestamp.

But this mechanism is too complex. "Allow anonymous to access attachments in non-public repositories" seems enough.

[craig-tx]

secret_seed and timestamp.

Is the idea with this option that the link has a brief lifetime of when it will work? Similar to an Amazon S3 presigned URL that expires after 7 days? I can see how that could help with reducing exposure to possible URL guessing attacks (although attachments being GUIDs already makes that type of attack difficult)

But this mechanism is too complex. "Allow anonymous to access attachments in non-public repositories" seems enough.

I would agree. Allow the admin to decide whether the convenience of rendering attachments unauthenticated is worth the security tradeoff.

[lunny]

Another more secure design can be:

Add a secret_seed column to attachments table, and generate a random secret for every attachment.

When a attachment should be accessed without authentication, use a URL like "http://.../attachments/xxxxx?timestamp=yyyyyy&sign=zzzzzzzz", the sign is calculated by secret_seed and timestamp.

But this mechanism is too complex. "Allow anonymous to access attachments in non-public repositories" seems enough.

I don't think this is the best resolution. The link maybe not visited from users' computer directly. And the gitea service maybe stopped because of maintain. I would like embed files in email if it's an image or attachment files in email.

[wxiaoguang]

@lunny I just tried on GitHub.

What GitHub does is the simple solution: do not limit attachment access.

For example, I uploaded an attachment into my private repository on GitHub, the attachment can be accessed anonymously:

https://user-images.githubusercontent.com/2114189/132302915-624237f7-54f9-42c4-8d19-ba9034bf433d.png

So I think it's still reasonable to use the simple mechanism.

[lunny]

Yes, the uuid is generated randomly. It should not be guessed or iterated by others if we don't leak it. So a permission check is not necessary.

[renothing]

the best simple way maybe image embed in content by base64 data directly.
for exmaple:

<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4
  //8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="Red dot" />

https://www.w3docs.com/snippets/html/how-to-display-base64-images-in-html.html