Fixed api content-disposition in blob and files endpoint

changelogs/unreleased/fj-55781-fix-api-blob-content-disposition.yml

+---
+title: Fix content-disposition in blobs and files API endpoint
+merge_request: 24078
+author:
+type: fixed

lib/api/helpers.rb

@@ -496,7 +496,7 @@ module API
     def send_git_blob(repository, blob)
       env['api.format'] = :txt
       content_type 'text/plain'
-      header['Content-Disposition'] = "attachment; filename=#{blob.name.inspect}"
+      header['Content-Disposition'] = content_disposition('attachment', blob.name)
       header(*Gitlab::Workhorse.send_git_blob(repository, blob))
     end
 
@@ -529,5 +529,11 @@ module API
 
       params[:archived]
     end
+
+    def content_disposition(disposition, filename)
+      disposition += %(; filename=#{filename.inspect}) if filename.present?
+
+      disposition
+    end
   end
 end

scripts/prepare_build.sh

@@ -10,7 +10,7 @@ fi
 
 # Only install knapsack after bundle install! Otherwise oddly some native
 # gems could not be found under some circumstance. No idea why, hours wasted.
-retry gem install knapsack --no-ri --no-rdoc
+retry gem install knapsack --no-document
 
 cp config/gitlab.yml.example config/gitlab.yml
 sed -i 's/bin_path: \/usr\/bin\/git/bin_path: \/usr\/local\/bin\/git/' config/gitlab.yml

spec/lib/api/helpers_spec.rb

@@ -148,4 +148,36 @@ describe API::Helpers do
 
     it_behaves_like 'user namespace finder'
   end
+
+  describe '#send_git_blob' do
+    context 'content disposition' do
+      let(:repository) { double }
+      let(:blob) { double(name: 'foobar') }
+
+      let(:send_git_blob) do
+        subject.send(:send_git_blob, repository, blob)
+      end
+
+      before do
+        allow(subject).to receive(:env).and_return({})
+        allow(subject).to receive(:content_type)
+        allow(subject).to receive(:header).and_return({})
+        allow(Gitlab::Workhorse).to receive(:send_git_blob)
+      end
+
+      context 'when blob name is null' do
+        let(:blob) { double(name: nil) }
+
+        it 'returns only the disposition' do
+          expect(send_git_blob['Content-Disposition']).to eq 'attachment'
+        end
+      end
+
+      context 'when blob name is not null' do
+        it 'returns disposition with the blob name' do
+          expect(send_git_blob['Content-Disposition']).to eq 'attachment; filename="foobar"'
+        end
+      end
+    end
+  end
 end

spec/requests/api/files_spec.rb

@@ -190,7 +190,7 @@ describe API::Files do
 
         get api(url, current_user), params: params
 
-        expect(headers['Content-Disposition']).to match(/^attachment/)
+        expect(headers['Content-Disposition']).to eq('attachment; filename="popen.rb"')
       end
 
       context 'when mandatory params are not given' do

spec/requests/api/repositories_spec.rb

@@ -171,7 +171,7 @@ describe API::Repositories do
       it 'forces attachment content disposition' do
         get api(route, current_user)
 
-        expect(headers['Content-Disposition']).to match(/^attachment/)
+        expect(headers['Content-Disposition']).to eq 'attachment'
       end
 
       context 'when sha does not exist' do