[PM-20344] Throw BadRequestException when uploading attachments with …#7899
[PM-20344] Throw BadRequestException when uploading attachments with …#7899mcamirault wants to merge 1 commit into
Conversation
…same name as existing attachment
🤖 Bitwarden Claude Code ReviewOverall Assessment: REQUEST CHANGES Reviewed the server-side guard added to Code Review Details
|
| throw new BadRequestException($"Max file size is {CipherService.MAX_FILE_SIZE_READABLE}."); | ||
| } | ||
|
|
||
| if (cipher.GetAttachments().Values.Any(v => v.FileName == request.FileName)) |
There was a problem hiding this comment.
❌ CRITICAL: GetAttachments() returns null for a cipher with no existing attachments, so .Values throws NullReferenceException on the first attachment upload (the common case).
Details and fix
Cipher.GetAttachments() returns null when Attachments is null/empty (see src/Core/Vault/Entities/Cipher.cs:48-51). Calling .Values directly on the null result throws on the most common path: uploading the first attachment to a cipher.
Every other caller in the codebase null-guards this (e.g. cipher.GetAttachments() ?? new Dictionary<...> in CipherService.cs:409, attachments?.Count in CipherRequestModel.cs:162). Suggested fix:
var existingAttachments = cipher.GetAttachments();
if (existingAttachments != null && existingAttachments.Values.Any(v => v.FileName == request.FileName))
{
throw new BadRequestException("Items cannot have multiple attachments with the same file name");
}The added test only exercises the case where an attachment already exists, so it would not catch this regression. Consider adding a test for uploading to a cipher with no existing attachments.
|
|
Nevermind, this won't work since the file name is encrypted |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #7899 +/- ##
==========================================
+ Coverage 61.24% 61.25% +0.01%
==========================================
Files 2223 2223
Lines 98196 98199 +3
Branches 8869 8869
==========================================
+ Hits 60143 60156 +13
+ Misses 35933 35920 -13
- Partials 2120 2123 +3 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|



…same name as existing attachment
🎟️ Tracking
https://bitwarden.atlassian.net/browse/PM-20344
📔 Objective
This PR adds a BadRequestException when trying to upload an attachment with the same name as an existing attachment. This will be prevented client-side by this PR for every client except the CLI, which will be covered by this server change.