[MM-10621] Set createAt timestamp on file upload api call to secure upload order of files (#9170)

* set createAt timestamp on file upload api call to secure upload order of files

* fix test on plugin hooks

2 files changed, 7 insertions, 4 deletions

diff --git a/app/file.go b/app/file.go
index b0c80da16..7dbcdd394 100644
--- a/app/file.go
+++ b/app/file.go
@@ -321,7 +321,7 @@ func GeneratePublicLinkHash(fileId, salt string) string {
 	return base64.RawURLEncoding.EncodeToString(hash.Sum(nil))
 }
 
-func (a *App) UploadMultipartFiles(teamId string, channelId string, userId string, fileHeaders []*multipart.FileHeader, clientIds []string) (*model.FileUploadResponse, *model.AppError) {
+func (a *App) UploadMultipartFiles(teamId string, channelId string, userId string, fileHeaders []*multipart.FileHeader, clientIds []string, now time.Time) (*model.FileUploadResponse, *model.AppError) {
 	files := make([]io.ReadCloser, len(fileHeaders))
 	filenames := make([]string, len(fileHeaders))
 
@@ -338,13 +338,13 @@ func (a *App) UploadMultipartFiles(teamId string, channelId string, userId strin
 		filenames[i] = fileHeader.Filename
 	}
 
-	return a.UploadFiles(teamId, channelId, userId, files, filenames, clientIds)
+	return a.UploadFiles(teamId, channelId, userId, files, filenames, clientIds, now)
 }
 
 // Uploads some files to the given team and channel as the given user. files and filenames should have
 // the same length. clientIds should either not be provided or have the same length as files and filenames.
 // The provided files should be closed by the caller so that they are not leaked.
-func (a *App) UploadFiles(teamId string, channelId string, userId string, files []io.ReadCloser, filenames []string, clientIds []string) (*model.FileUploadResponse, *model.AppError) {
+func (a *App) UploadFiles(teamId string, channelId string, userId string, files []io.ReadCloser, filenames []string, clientIds []string, now time.Time) (*model.FileUploadResponse, *model.AppError) {
 	if len(*a.Config().FileSettings.DriverName) == 0 {
 		return nil, model.NewAppError("uploadFile", "api.file.upload_file.storage.app_error", nil, "", http.StatusNotImplemented)
 	}
@@ -367,7 +367,7 @@ func (a *App) UploadFiles(teamId string, channelId string, userId string, files
 		io.Copy(buf, file)
 		data := buf.Bytes()
 
-		info, data, err := a.DoUploadFileExpectModification(time.Now(), teamId, channelId, userId, filenames[i], data)
+		info, data, err := a.DoUploadFileExpectModification(now, teamId, channelId, userId, filenames[i], data)
 		if err != nil {
 			return nil, err
 		}
@@ -417,6 +417,7 @@ func (a *App) DoUploadFileExpectModification(now time.Time, rawTeamId string, ra
 
 	info.Id = model.NewId()
 	info.CreatorId = userId
+	info.CreateAt = now.UnixNano() / int64(time.Millisecond)
 
 	pathPrefix := now.Format("20060102") + "/teams/" + teamId + "/channels/" + channelId + "/users/" + userId + "/" + info.Id + "/"
 	info.Path = pathPrefix + filename
diff --git a/app/plugin_hooks_test.go b/app/plugin_hooks_test.go
index 6e8434cab..488d81757 100644
--- a/app/plugin_hooks_test.go
+++ b/app/plugin_hooks_test.go
@@ -11,6 +11,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"testing"
+	"time"
 
 	"github.com/mattermost/mattermost-server/model"
 	"github.com/mattermost/mattermost-server/plugin"
@@ -352,6 +353,7 @@ func TestHookFileWillBeUploaded(t *testing.T) {
 		[]io.ReadCloser{ioutil.NopCloser(bytes.NewBufferString("inputfile"))},
 		[]string{"testhook.txt"},
 		[]string{},
+		time.Now(),
 	)
 	assert.Nil(t, err)
 	assert.NotNil(t, response)