[go: up one dir, main page]
Skip to content

Log all possible content_type when downloading package file generic package file

Sylvia Shenrequested to merge
552989-log-content-types into master

What does this MR do and why?

When user uploads a CSS package file and uses it in HTML to serve the CSS, the browser will prevent the file from downloading because the endpoint api/v4/projects/{project_id}/packages/generic/path/to/file always returns content type as application/octet-stream but not text/css.

In order to return the correct content type, we created an MR and try to determine the correct content type to solve this issue.

However, the fix might introduce some security issues. After some following discussions, we decided that we will have a allowed list for content types. If the content type is safe, then we setup the content type when return the file, otherwise the content type remains as application/octet-stream.

This MR is the first step that we unify the way of determining the content type from filename, and start collecting all the possible content types.

References

Screenshots or screen recordings

N/A

How to set up and validate locally

  1. Switch to this branch

  2. Enable feature flag

    FeatureFeature.enable(:packages_generic_package_content_type)

  3. Monitor application_json.log

    tail -f log/application_json.log`

  4. Enter Package Registry page and try to download a file OR download the file by generic package file endpoint

    curl -L --header "PRIVATE-TOKEN: ${TOKEN}" \
  "${GITLAB_URL}/api/v4/projects/${PROJECT_ID}/packages/generic/path/to/path/filename.extension" \
  --output filename.extension

  5. The log should be shown in application_json.log

    {"severity":"INFO","time":"2025-07-09T14:02:27.472Z","correlation_id":"01JZQQXC84NFA2714AJRVJ87Y9","meta.caller_id":"Projects::Packages::PackageFilesController#download","meta.feature_category":"package_registry","meta.organization_id":1,"meta.remote_ip":"127.0.0.1","meta.user":"root","meta.user_id":1,"meta.project":"gitlab-org/gitlab-test","meta.root_namespace":"gitlab-org","meta.client_id":"user/1","determined_content_type":"text/css"}

{"severity":"INFO","time":"2025-07-09T14:04:52.306Z","correlation_id":"01JZQR1SYY1N2WPQ7PK1BZ2W0G","meta.caller_id":"GET /api/:version/projects/:id/packages/generic/:package_name/*package_version/(*path/):file_name","meta.remote_ip":"127.0.0.1","meta.feature_category":"package_registry","meta.user":"root","meta.user_id":1,"meta.client_id":"user/1","determined_content_type":"text/css"}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #552989 (closed)

Edited by Sylvia Shen

Merge request reports