test(minidump): Upload from external#5977
Conversation
![sentry-warden[bot]](https://avatars.githubusercontent.com/in/2755838?s=60&v=4){kind=small}
| let upload_length = match (upload_length, upload_defer_length) { | ||
| (Some(u), None) => Ok(Some(u)), | ||
| (None, Some(1)) => Ok(None), |
There was a problem hiding this comment.
Removing allow_defer_length lets external clients bypass upload quota accounting
validate_post_headers no longer distinguishes trusted vs external callers and unconditionally accepts Upload-Defer-Length: 1. The only caller, handle_post in endpoints/upload.rs, is an external HTTP endpoint. When a deferred length is used, upload_length is None, so the max_upload_size pre-check at upload.rs:160 is skipped and check_request invokes item.set_attachment_length(upload_length.unwrap_or(1)), causing the envelope quota/rate-limit check to count only 1 byte regardless of the eventual payload size (which is bounded only by max_upload_size in the PATCH stream). External clients can therefore upload attachments up to max_upload_size while bypassing per-project attachment byte quotas and rate limits, enabling abuse of paid attachment quota.
Verification
Read relay-server/src/utils/tus.rs lines 75-104 (hunk) and relay-server/src/endpoints/upload.rs lines 100-340. Confirmed handle_post is the only caller of validate_post_headers and is exposed via an external route with RequestBodyLimitLayer. Traced upload_length=None path through check_request (sets attachment_length to 1) and into handle_patch where BoundedStream uses (1, max_upload_size). The previous signature with allow_defer_length=false would have rejected Upload-Defer-Length on this path via Error::DeferLengthNotAllowed.
Identified by Warden security-review · YSG-QKP
1 participant
Legal Boilerplate
Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.