New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permit service_name in direct uploads #37501
Conversation
Making that choice param / data-* attribute based means the app isn't really choosing, the client is. Someone can open the web inspector, tamper with the params, and upload files to a different service. I think that logic should live firmly in the app itself, but I'm not familiar enough with the recent multi-service changes to suggest how. |
So we do have a validation on blobs that would restrict the value to a valid service, so there's no chance of malformed data. We could alternatively make separate direct upload endpoints for each service, but that would likely be a breaking change. I think either way the client has to ultimately indicate which service to directly upload to (unless it is the default one). |
That only validates that the service exists if I'm reading correctly, and the data could still be tampered with to make it reference the wrong service. Like, I could fiddle with the params and put files in your private service instead of the public service. |
Ah, good catch. Yes, that could definitely be abused if the client knew names of other buckets. I'll think about this a little more and see if I can make everything server-side. Thanks for the feedback! ❤️ |
This is tough because service names are specified in attachment associations and the direct upload will create the blob before the attachment is created. I thought of signing the |
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
Update: I just realized that the request asking for the upload url is the one specifying the service name, so yes we need to make sure it doesn't get tampered 👌 |
Summary
For apps with multiple services (eg. a public one and a private one), they should be able to choose which service they want to directly upload to.
How should we expose this in the JS API? Currently, you use
direct_upload: true
to denote a direct upload file field. I was thinking of allowing something along the lines ofdirect_upload: { service: "x" }
. We could also try to infer it from theActiveStorage::Attached::One/Many
object, but I don't see an easy way of doing that. WDYT?cc @javan @georgeclaghorn