Skip to content

Prevent creation of too long file name

Samantha Ming requested to merge 254215-prevent-long-file-name-creation into master

What does this MR do?

This MR prevents a "File name too long" from being created, which is problematic because it can break backups > Issue: #254215 (closed). This happens when pasting some long texts from Microsoft into our dropzone text area.

Before This MR
image image
Sucessfully create an image with the long file name 😱 Yay, file name automatically truncates to acceptable length before sending it to our upload request

Notes

Yes, on the frontend we have addressed the problem of sending a long file name to our upload request. But I think on the backend we might want to add some additional checks to NOT accept too long file names from being saved in the first place (it should not be a successful response, it should fail). Here's a follow-up ticket to address that > #339982

Secondly, we might want to look into why texts from Microsoft products (ie. OneNote and Powerpoint) get pasted as images instead of actual text. Here's the follow up to look into that > #339984 (closed)

Testing Case

  1. Find a random MR where you can insert a comment.
  2. Paste a very long text into a Microsoft OneNote. Below is a sample text you can use (it contains 320 characters).
lorem_ipsum_dolor_sit_amet_consectetuer_adipiscing_elit_aenean_commodo_ligula_eget_dolor_aenean_massa_cum_sociis_natoque_penatibus_et_magnis_dis_parturient_montes_nascetur_ridiculus_mus_donec_quam_felis_ultricies_nec_pellentesque_eu_pretium_quis_sem_nulla_consequat_massa_quis_enim_donec_pede_justo_fringilla_vel_ali_320
  1. Copy the text from Microsoft OneNote into your comment textarea.
  2. The pasted text (which will become an image) will be uploaded and saved with a truncated text name.

truncated-too-long-file-name

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Related to #254215 (closed)

Edited by Samantha Ming

Merge request reports

Loading