Opening files in browser or downloading it

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Context

We have adopted Gitlab recently in the self-hosted way and we found a bug regarding open files in the browser or download it. For instance, a file attached to a MR. Opening TXT or YAML files in the browser was really helpful for us.

We found that PDF files are being opened in the browser but the rest of file extensions are being downloaded. Some of them like HTML or SVG makes sense to download it since it's well known it will lead to XSS vulnerabilities but for others like TXT we didn't get a big reason to avoid opening them inline.

At the end we found the gitlab-workhorse code which decides depending of the Content-Type header if the file will be opened in the browser setting the Content-Disposition header value to inline or if it will be downloaded the Content-Diposition header value will be attachment.

Please find below a couple of workhorse logs where PDF are well shown in browser while a TXT is being downloaded:

#PDF well shown (text/plain; charset=utf-8)
{"backend_id":"rails","content_type":"text/plain; charset=utf-8","correlation_id":"01JNNJQBGXS5EVGSQ2M416CA
21","duration_ms":60,"host”:”my-hosted-gitlab.com”,”level":"info","method":"GET","msg":"access","pr
oto":"HTTP/1.1","referrer":"https://my-hosted-gitlab.com/Main/my-profect/-/merge_requests/3941","remote_addr":"127.0.0.1:0","remote_ip":"127.0.0.1","route":"^/-/","
route_id":"dash","status":200,"system":"http","time":"2025-03-06T11:16:19Z","ttfb_ms":59,"uri":"/-/project/
8/uploads/ce0947d360ab1aff92b0c0288fce8643/pdf.pdf","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10
.15; rv:135.0) Gecko/20100101 Firefox/135.0","written_bytes":3}

#TXT being downloaded (application/octet-stream)
{"backend_id":"rails","content_type":"application/octet-stream","correlation_id":"01JNNJK39HKTSRBJ1MXAT3PCV
H","duration_ms":49,"host”:”my-gitlab.com,”level":"info","method":"GET","msg":"access","pro
to":"HTTP/1.1","referrer":"https://my-gitlab.com/Main/my-project/-/merge_requests/3941","remote_addr":"127.0.0.1:0","remote_ip":"127.0.0.1","route":"^/-/","route_id":"dash","status":200,"system":"http","time":"2025-03-06T11:14:00Z","ttfb_ms":49,"uri":"/-/project/8
/uploads/28c0bad4e214acf8c2e7e8e0feecf424/sample1.txt","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X
 10.15; rv:135.0) Gecko/20100101 Firefox/135.0","written_bytes":1024}

It seems like text/plain should be allowed by this regexp unfortunately for our case TXT files are being downloaded. We could workaround the issue adding the following if here

// Force inline display for .txt files
if contentType == textPlainContentType {
	contentDisposition = inlineDispositionText
}

Note: we tried using different laptops OS and different browsers, Chrome and Firefox mainly.

Goal

For us it would be very helpful to open certain files like TXT inline instead of downloading them. Additionally, it would be good to choose which extension files you want to open them in this way, a potential configuration like gitlab_workhorse['inline-extensions'] = ['yaml', 'pdf', 'txt'] and include a validator in workhorse for forbidden extensions like HTML or SVG to avoid XSS vulnerabilities.