Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Package upload (/channels/{channel_name}/upload/{filename}) must fail early before reading the package to upload #709

Open
najose opened this issue Jan 29, 2025 · 0 comments · May be fixed by #710
Open

Package upload (/channels/{channel_name}/upload/{filename}) must fail early before reading the package to upload #709

najose opened this issue Jan 29, 2025 · 0 comments · May be fixed by #710

Comments

@najose
Copy link

najose commented Jan 29, 2025

Currently the upload endpoint reads the request stream which contains the package to upload and then asserts if the user has access to the channel. Depending on the size of the package this could mean that it could take a bit of time before Quetz responds with 403 status code.

quetz/quetz/main.py

Lines 1456 to 1489 in 56ab2cf

@api_router.post(
"/channels/{channel_name}/upload/{filename}", status_code=201, tags=["upload"]
)
async def post_upload(
background_tasks: BackgroundTasks,
request: Request,
channel_name: str,
filename: str,
sha256: str,
force: bool = False,
dao: Dao = Depends(get_dao),
auth: authorization.Rules = Depends(get_rules),
):
logger.debug(
f"Uploading file {filename} with checksum {sha256} to channel {channel_name}"
)
upload_hash = hashlib.sha256()
body = TemporaryFile()
async for chunk in request.stream():
body.write(chunk)
upload_hash.update(chunk)
if sha256 and upload_hash.hexdigest() != sha256:
raise HTTPException(
status_code=status.HTTP_406_NOT_ACCEPTABLE, detail="Wrong SHA256 checksum"
)
# here we use the owner_id as user_id. In case the authentication
# was done using an API Key, we want to attribute the uploaded package
# to the owner of that API Key and not the anonymous API Key itself.
user_id = auth.assert_owner()
auth.assert_create_package(channel_name)

Quetz should asserts the permissions to the channel before reading the package from the request body so it can fail early.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Assert user role before reading package from the request stream najose/quetz
1 participant
@najose