If same file uploaded twice with different name, second name is not present in list about cdn HOT 4 CLOSED

This is a dangerous situation with security implications. Let's up this to critical level.

from cdn.

It's well known problem.
We are using md5 hash as a ID for files. Even if we will add new filename to the artifact when it's uploaded, we can't use it for downloading.
If user request download by ID and we have several name for this artifact, which filename should we provide for downloaded file?

To solve this problem we need to change ID to some unique value and migrate hashes to the separate field. But it is significant changes that will require changes in all other products.

@akarasulu btw, why did you marked it as critical and security? There is nothing about security here.

from cdn.

The problem here is that we did NOT design this to be multi-tenant and consider the potential collisions. This is left over craptoxiticity (just made up the word :D ) from Kurjun shit. We can fix this I am sure. Let me respond to your comments:

It's well known problem.

We still need to fix it.

We are using md5 hash as a ID for files. Even if we will add new filename to the artifact when it's uploaded, we can't use it for downloading.

We should not be using an identifier that cannot clash across users. I would use treat each upload as unique. So all artifacts uploaded in the system, even same files, should be linked to a unique primary key: UUID of the uploaded artifact. The md5 should still be used but as a secondary key which will produce duplicates.

Even the same thing uploaded twice by other people will be treated differently this way.

If user request download by ID and we have several name for this artifact, which filename should we provide for downloaded file? To solve this problem we need to change ID to some unique value and migrate hashes to the separate field. But it is significant changes that will require changes in all other products.

BTW I agree 100% with you.

YES unfortunately. This is the cost of early mistakes in the design.

@akarasulu btw, why did you marked it as critical and security? There is nothing about security here.

Sure let me explain. When one user can interfere with another users' shit in the system this falls under a security concern for me. It has security implications.

from cdn.

Is there currently any documentation on Gorjun?

If not can we get some basic information up here on the wiki?

Would also be nice to have a list of all the REST API endpoints.

I want to start working on how we can specify it properly going forward.

from cdn.