[GH-8911] Fix file upload request when CSRF protection is enabled (#8912)

KohheiAdachi · web-flow · commit 85fcdacee743 · 2025-10-01T11:00:55.000-03:00
* Fix file upload for csrf protection

* Fix use profile upload for csrf protection

* Fix tests

* Fix files.test.ts
diff --git a/app/actions/remote/user.test.ts b/app/actions/remote/user.test.ts
@@ -58,6 +58,7 @@ const user1 = {id: 'userid1', username: 'user1', email: 'user1@mattermost.com',
 const user2 = {id: 'userid2', username: 'user2', email: 'user2@mattermost.com', roles: ''} as UserProfile;
 
 const mockClient = {
+    getRequestHeaders: jest.fn(() => ({})),
     getMe: jest.fn(() => ({id: 'userid1', username: 'user1', email: 'user1@mattermost.com', roles: ''})),
     getStatus: jest.fn((id: string) => ({user_id: id === 'me' ? 'userid1' : id, status: 'online'})),
     getProfilesInChannel: jest.fn(() => ([user1, user2])),
diff --git a/app/actions/remote/user.ts b/app/actions/remote/user.ts
@@ -774,6 +774,7 @@ export const uploadUserProfileImage = async (serverUrl: string, localPath: strin
                 multipart: {
                     fileKey: 'image',
                 },
+                headers: client.getRequestHeaders('POST'),
             });
         }
         return {};
diff --git a/app/client/rest/files.test.ts b/app/client/rest/files.test.ts
@@ -87,6 +87,7 @@ test('uploadAttachment', () => {
             },
         },
         timeoutInterval: 180000,
+        headers: {Accept: 'application/json'},
     };
 
     (client.apiClient.upload as jest.Mock).mockReturnValue({
@@ -110,6 +111,7 @@ test('uploadAttachment', () => {
             },
         },
         timeoutInterval: 180000,
+        headers: {Accept: 'application/json'},
     };
     client.uploadAttachment(file, channelId, onProgress, onComplete, onError);
     expect(client.apiClient.upload).toHaveBeenCalledWith(client.getFilesRoute(), file.localPath, expectedDefaultOptions);
diff --git a/app/client/rest/files.ts b/app/client/rest/files.ts
@@ -81,6 +81,7 @@ const ClientFiles = <TBase extends Constructor<ClientBase>>(superclass: TBase) =
                 },
             },
             timeoutInterval: toMilliseconds({minutes: 3}),
+            headers: this.getRequestHeaders('POST'),
         };
         if (!file.localPath) {
             throw new Error('file does not have local path defined');

Original file line number	Diff line number	Diff line change
`@@ -774,6 +774,7 @@ export const uploadUserProfileImage = async (serverUrl: string, localPath: strin`
`774`	`774`	`multipart: {`
`775`	`775`	`fileKey: 'image',`
`776`	`776`	`},`
	`777`	`+ headers: client.getRequestHeaders('POST'),`
`777`	`778`	`});`
`778`	`779`	`}`
`779`	`780`	`return {};`