Add feature flag for workhorse content type calculation

2 files changed, 13 insertions, 0 deletions

diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb
index 638744a1426..bd42f00944f 100644
--- a/app/helpers/blob_helper.rb
+++ b/app/helpers/blob_helper.rb
@@ -140,6 +140,8 @@ module BlobHelper
     Gitlab::Sanitizers::SVG.clean(data)
   end
 
+  # Remove once https://gitlab.com/gitlab-org/gitlab-ce/issues/36103 is closed
+  # and :workhorse_set_content_type flag is removed
   # If we blindly set the 'real' content type when serving a Git blob we
   # are enabling XSS attacks. An attacker could upload e.g. a Javascript
   # file to a Git repository, trick the browser of a victim into
@@ -161,6 +163,8 @@ module BlobHelper
   end
 
   def content_disposition(blob, inline)
+    # Remove the following line when https://gitlab.com/gitlab-org/gitlab-ce/issues/36103
+    # is closed and :workhorse_set_content_type flag is removed
     return 'attachment' if blob.extension == 'svg'
 
     inline ? 'inline' : 'attachment'
diff --git a/app/helpers/workhorse_helper.rb b/app/helpers/workhorse_helper.rb
index 49c08dce96c..e9fc39e451b 100644
--- a/app/helpers/workhorse_helper.rb
+++ b/app/helpers/workhorse_helper.rb
@@ -6,8 +6,13 @@ module WorkhorseHelper
   # Send a Git blob through Workhorse
   def send_git_blob(repository, blob, inline: true)
     headers.store(*Gitlab::Workhorse.send_git_blob(repository, blob))
+
     headers['Content-Disposition'] = content_disposition(blob, inline)
     headers['Content-Type'] = safe_content_type(blob)
+
+    # If enabled, this will override the values set above
+    workhorse_set_content_type!
+
     render plain: ""
   end
 
@@ -40,4 +45,8 @@ module WorkhorseHelper
   def set_workhorse_internal_api_content_type
     headers['Content-Type'] = Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE
   end
+
+  def workhorse_set_content_type!
+    headers[Gitlab::Workhorse::DETECT_HEADER] = "true" if Feature.enabled?(:workhorse_set_content_type)
+  end
 end