Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-18030

Don't allow batch upload with a client-side generated id



    • Type: Task
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 7.4
    • Fix Version/s: 7.10
    • Component/s: File Upload , Rest API
    • Tags:
    • Impact type:
      API change
    • Upgrade notes:

      Deprecated BatchManager#initBatch(String batchId, String contextName);

      Deprecated BatchManager#initBatch(String batchId, String contextName);
    • Sprint:
      drive-7.10-1, drive-7.10-2
    • Story Points:


      The new upload API implemented by BatchUploadObject doesn't allow such thing.
      Whatever request is done using the /api/v1/upload endpoint the batchId is part of the resource itself, ex:

          public Response upload(@Context HttpServletRequest request, @PathParam(REQUEST_BATCH_ID) String batchId, @PathParam(REQUEST_FILE_IDX) String fileIdx) throws IOException

      A 404 status code is returned if the batch matching the given id doesn't exist.

      Yet the old API, deprecated but maintained for backward compatibility, does allow such a client-side generated id passed as a request header, see BatchResource:

          public Object doPost(@Context HttpServletRequest request) throws IOException {
              String batchId = request.getHeader("X-Batch-Id");

      This is how the old API now behaves:

      1. If no batch id is provided, initialize a batch with a server-side generated id by calling BatchManager#init().
      2. If a batch id is provided:
      • If an existing batch matches this id use it. This is possible by making a first call to the new API: /api/v1/upload but in this case why not use the new API through the whole upload process?
      • If no batch matches this id:
        • If the allowClientGeneratedBatchId configuration property is false, return an HTTP 500 error with the following message "Cannot upload a file with a client-side generated batch id, please use new upload API or set configuration property allowClientGeneratedBatchId to true (not recommended)".
        • If the allowClientGeneratedBatchId configuration property is set to true, a batch will be initialized internally with this id by the BatchManager. With a warning in the logs: "Allowing to initialize upload batch with a client-side generated id since configuration property allowClientGeneratedBatchId is set to true but this is not recommended, please use new upload API instead".

      The allowClientGeneratedBatchId configuration property is not set by default (thus false) for the LTS 2015 to enforce security.

      This has consequences on the Nuxeo client code using the old batch upload API with a client-side generated id:

      Important note about Nuxeo Drive: starting from 7.10, the minimum compatible version of Nuxeo Drive will be the next released version, meaning the one following 2.0.911.
      This version will include NXDRIVE-433.


          Issue Links



              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created: