Commit 8fd407be authored by Douglas Barbosa Alexandre's avatar Douglas Barbosa Alexandre

Merge branch 'sh-reject-info-refs-head-requests' into 'master'

Reject HEAD requests to info/refs endpoint

Closes #54579

See merge request !26334
parents c174fc0c d1657544
Pipeline #52638900 passed with stages
in 61 minutes and 41 seconds
......@@ -4,6 +4,7 @@ class Projects::GitHttpController < Projects::GitHttpClientController
include WorkhorseRequest
before_action :access_check
prepend_before_action :deny_head_requests, only: [:info_refs]
rescue_from Gitlab::GitAccess::UnauthorizedError, with: :render_403
rescue_from Gitlab::GitAccess::NotFoundError, with: :render_404
......@@ -32,6 +33,10 @@ class Projects::GitHttpController < Projects::GitHttpClientController
private
def deny_head_requests
head :forbidden if request.head?
end
def download_request?
upload_pack?
end
......
---
title: Reject HEAD requests to info/refs endpoint
merge_request: 26334
author:
type: fixed
# frozen_string_literal: true
require 'spec_helper'
describe Projects::GitHttpController do
describe 'HEAD #info_refs' do
it 'returns 403' do
project = create(:project, :public, :repository)
head :info_refs, params: { namespace_id: project.namespace.to_param, project_id: project.path + '.git' }
expect(response.status).to eq(403)
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment