Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-18030

Don't allow batch upload with a client-side generated id

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 7.4
    • Fix Version/s: 7.10
    • Component/s: File Upload , Rest API
    • Tags:
    • Impact type:
      API change
    • Upgrade notes:
      Hide

      Deprecated BatchManager#initBatch(String batchId, String contextName);

      Show
      Deprecated BatchManager#initBatch(String batchId, String contextName);
    • Sprint:
      drive-7.10-1, drive-7.10-2
    • Story Points:
      2

      Description

      The new upload API implemented by BatchUploadObject doesn't allow such thing.
      Whatever request is done using the /api/v1/upload endpoint the batchId is part of the resource itself, ex:

          @POST
          @Path("{batchId}/{fileIdx}")
          public Response upload(@Context HttpServletRequest request, @PathParam(REQUEST_BATCH_ID) String batchId, @PathParam(REQUEST_FILE_IDX) String fileIdx) throws IOException
      

      A 404 status code is returned if the batch matching the given id doesn't exist.

      Yet the old API, deprecated but maintained for backward compatibility, does allow such a client-side generated id passed as a request header, see BatchResource:

          @Deprecated
          @POST
          @Path("/upload")
          public Object doPost(@Context HttpServletRequest request) throws IOException {
              ...
              String batchId = request.getHeader("X-Batch-Id");
              ...
          }
      

      This is how the old API now behaves:

      1. If no batch id is provided, initialize a batch with a server-side generated id by calling BatchManager#init().
      2. If a batch id is provided:
      • If an existing batch matches this id use it. This is possible by making a first call to the new API: /api/v1/upload but in this case why not use the new API through the whole upload process?
      • If no batch matches this id:
        • If the allowClientGeneratedBatchId configuration property is false, return an HTTP 500 error with the following message "Cannot upload a file with a client-side generated batch id, please use new upload API or set configuration property allowClientGeneratedBatchId to true (not recommended)".
        • If the allowClientGeneratedBatchId configuration property is set to true, a batch will be initialized internally with this id by the BatchManager. With a warning in the logs: "Allowing to initialize upload batch with a client-side generated id since configuration property allowClientGeneratedBatchId is set to true but this is not recommended, please use new upload API instead".

      The allowClientGeneratedBatchId configuration property is not set by default (thus false) for the LTS 2015 to enforce security.

      This has consequences on the Nuxeo client code using the old batch upload API with a client-side generated id:

      Important note about Nuxeo Drive: starting from 7.10, the minimum compatible version of Nuxeo Drive will be the next released version, meaning the one following 2.0.911.
      This version will include NXDRIVE-433.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.