Skip to content

[PM-20344] Throw BadRequestException when uploading attachments with …#7899

Closed
mcamirault wants to merge 1 commit into
mainfrom
tools/pm-20344/disallow-attachments-with-same-name
Closed

[PM-20344] Throw BadRequestException when uploading attachments with …#7899
mcamirault wants to merge 1 commit into
mainfrom
tools/pm-20344/disallow-attachments-with-same-name

Conversation

@mcamirault

Copy link
Copy Markdown
Contributor

…same name as existing attachment

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-20344

📔 Objective

This PR adds a BadRequestException when trying to upload an attachment with the same name as an existing attachment. This will be prevented client-side by this PR for every client except the CLI, which will be covered by this server change.

@mcamirault mcamirault requested a review from a team as a code owner June 30, 2026 18:00
@mcamirault mcamirault requested a review from shane-melton June 30, 2026 18:00
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🤖 Bitwarden Claude Code Review

Overall Assessment: REQUEST CHANGES

Reviewed the server-side guard added to CiphersController.PostAttachment that rejects uploads whose file name matches an existing attachment, plus its accompanying unit test. The change is small and the intent is clear, but the null-handling on GetAttachments() introduces a regression on the most common upload path.

Code Review Details
  • ❌ : GetAttachments() returns null when a cipher has no attachments; calling .Values throws NullReferenceException on the first attachment upload.
    • src/Api/Vault/Controllers/CiphersController.cs:1335

throw new BadRequestException($"Max file size is {CipherService.MAX_FILE_SIZE_READABLE}.");
}

if (cipher.GetAttachments().Values.Any(v => v.FileName == request.FileName))

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CRITICAL: GetAttachments() returns null for a cipher with no existing attachments, so .Values throws NullReferenceException on the first attachment upload (the common case).

Details and fix

Cipher.GetAttachments() returns null when Attachments is null/empty (see src/Core/Vault/Entities/Cipher.cs:48-51). Calling .Values directly on the null result throws on the most common path: uploading the first attachment to a cipher.

Every other caller in the codebase null-guards this (e.g. cipher.GetAttachments() ?? new Dictionary<...> in CipherService.cs:409, attachments?.Count in CipherRequestModel.cs:162). Suggested fix:

var existingAttachments = cipher.GetAttachments();
if (existingAttachments != null && existingAttachments.Values.Any(v => v.FileName == request.FileName))
{
    throw new BadRequestException("Items cannot have multiple attachments with the same file name");
}

The added test only exercises the case where an attachment already exists, so it would not catch this regression. Consider adding a test for uploading to a cipher with no existing attachments.

@sonarqubecloud

Copy link
Copy Markdown

@mcamirault

Copy link
Copy Markdown
Contributor Author

Nevermind, this won't work since the file name is encrypted

@mcamirault mcamirault closed this Jun 30, 2026
@mcamirault mcamirault deleted the tools/pm-20344/disallow-attachments-with-same-name branch June 30, 2026 18:23
@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.25%. Comparing base (32ce40c) to head (ab010fa).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #7899      +/-   ##
==========================================
+ Coverage   61.24%   61.25%   +0.01%     
==========================================
  Files        2223     2223              
  Lines       98196    98199       +3     
  Branches     8869     8869              
==========================================
+ Hits        60143    60156      +13     
+ Misses      35933    35920      -13     
- Partials     2120     2123       +3     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant