Commit d1657544 authored by Stan Hu's avatar Stan Hu

Reject HEAD requests to info/refs endpoint

In production, we see high error rates due to clients attempting to use
the dumb Git HTTP protocol with HEAD /foo/bar.git/info/refs
endpoint. This isn't supported and causes Error 500s because Workhorse
doesn't send along its secret because it's not proxying this request.

Closes #54579
parent 934253c9
Pipeline #52619635 passed with stages
in 83 minutes and 14 seconds
......@@ -4,6 +4,7 @@ class Projects::GitHttpController < Projects::GitHttpClientController
include WorkhorseRequest
before_action :access_check
prepend_before_action :deny_head_requests, only: [:info_refs]
rescue_from Gitlab::GitAccess::UnauthorizedError, with: :render_403
rescue_from Gitlab::GitAccess::NotFoundError, with: :render_404
......@@ -32,6 +33,10 @@ class Projects::GitHttpController < Projects::GitHttpClientController
private
def deny_head_requests
head :forbidden if request.head?
end
def download_request?
upload_pack?
end
......
---
title: Reject HEAD requests to info/refs endpoint
merge_request: 26334
author:
type: fixed
# frozen_string_literal: true
require 'spec_helper'
describe Projects::GitHttpController do
describe 'HEAD #info_refs' do
it 'returns 403' do
project = create(:project, :public, :repository)
head :info_refs, params: { namespace_id: project.namespace.to_param, project_id: project.path + '.git' }
expect(response.status).to eq(403)
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment