Add feature flag for workhorse content type calculation

5 files changed, 33 insertions, 1 deletions

diff --git a/app/controllers/concerns/snippets_actions.rb b/app/controllers/concerns/snippets_actions.rb
index 8c22490700c..014232a7d05 100644
--- a/app/controllers/concerns/snippets_actions.rb
+++ b/app/controllers/concerns/snippets_actions.rb
@@ -10,6 +10,8 @@ module SnippetsActions
   def raw
     disposition = params[:inline] == 'false' ? 'attachment' : 'inline'
 
+    workhorse_set_content_type!
+
     send_data(
       convert_line_endings(@snippet.content),
       type: 'text/plain; charset=utf-8',
diff --git a/app/controllers/concerns/uploads_actions.rb b/app/controllers/concerns/uploads_actions.rb
index 5912fffc058..0eea0cdd50f 100644
--- a/app/controllers/concerns/uploads_actions.rb
+++ b/app/controllers/concerns/uploads_actions.rb
@@ -38,6 +38,7 @@ module UploadsActions
 
     return render_404 unless uploader
 
+    workhorse_set_content_type!
     send_upload(uploader, attachment: uploader.filename, disposition: disposition)
   end
 
diff --git a/app/controllers/projects/jobs_controller.rb b/app/controllers/projects/jobs_controller.rb
index 3ecf94c008e..c58b30eace7 100644
--- a/app/controllers/projects/jobs_controller.rb
+++ b/app/controllers/projects/jobs_controller.rb
@@ -140,15 +140,22 @@ class Projects::JobsController < Projects::ApplicationController
 
   def raw
     if trace_artifact_file
+      workhorse_set_content_type!
       send_upload(trace_artifact_file,
                   send_params: raw_send_params,
                   redirect_params: raw_redirect_params)
     else
       build.trace.read do |stream|
         if stream.file?
+          workhorse_set_content_type!
           send_file stream.path, type: 'text/plain; charset=utf-8', disposition: 'inline'
         else
-          send_data stream.raw, type: 'text/plain; charset=utf-8', disposition: 'inline', filename: 'job.log'
+          # In this case we can't use workhorse_set_content_type! and let
+          # Workhorse handle the response because the data is streamed directly
+          # to the user but, because we have the trace content, we can calculate
+          # the proper content type and disposition here.
+          raw_data = stream.raw
+          send_data raw_data, type: 'text/plain; charset=utf-8', disposition: raw_trace_content_disposition(raw_data), filename: 'job.log'
         end
       end
     end
@@ -201,4 +208,13 @@ class Projects::JobsController < Projects::ApplicationController
   def build_path(build)
     project_job_path(build.project, build)
   end
+
+  def raw_trace_content_disposition(raw_data)
+    mime_type = MimeMagic.by_magic(raw_data)
+
+    # if mime_type is nil can also represent 'text/plain'
+    return 'inline' if mime_type.nil? || mime_type.type == 'text/plain'
+
+    'attachment'
+  end
 end
diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb
index 638744a1426..bd42f00944f 100644
--- a/app/helpers/blob_helper.rb
+++ b/app/helpers/blob_helper.rb
@@ -140,6 +140,8 @@ module BlobHelper
     Gitlab::Sanitizers::SVG.clean(data)
   end
 
+  # Remove once https://gitlab.com/gitlab-org/gitlab-ce/issues/36103 is closed
+  # and :workhorse_set_content_type flag is removed
   # If we blindly set the 'real' content type when serving a Git blob we
   # are enabling XSS attacks. An attacker could upload e.g. a Javascript
   # file to a Git repository, trick the browser of a victim into
@@ -161,6 +163,8 @@ module BlobHelper
   end
 
   def content_disposition(blob, inline)
+    # Remove the following line when https://gitlab.com/gitlab-org/gitlab-ce/issues/36103
+    # is closed and :workhorse_set_content_type flag is removed
     return 'attachment' if blob.extension == 'svg'
 
     inline ? 'inline' : 'attachment'
diff --git a/app/helpers/workhorse_helper.rb b/app/helpers/workhorse_helper.rb
index 49c08dce96c..e9fc39e451b 100644
--- a/app/helpers/workhorse_helper.rb
+++ b/app/helpers/workhorse_helper.rb
@@ -6,8 +6,13 @@ module WorkhorseHelper
   # Send a Git blob through Workhorse
   def send_git_blob(repository, blob, inline: true)
     headers.store(*Gitlab::Workhorse.send_git_blob(repository, blob))
+
     headers['Content-Disposition'] = content_disposition(blob, inline)
     headers['Content-Type'] = safe_content_type(blob)
+
+    # If enabled, this will override the values set above
+    workhorse_set_content_type!
+
     render plain: ""
   end
 
@@ -40,4 +45,8 @@ module WorkhorseHelper
   def set_workhorse_internal_api_content_type
     headers['Content-Type'] = Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE
   end
+
+  def workhorse_set_content_type!
+    headers[Gitlab::Workhorse::DETECT_HEADER] = "true" if Feature.enabled?(:workhorse_set_content_type)
+  end
 end