Warn users special characters break container registry
This issue was closed because it does not seem feasible, but may be useful for background info.
Problem to solve
The GitLab Container Registry allows users to build, push and share docker images/tags. However, if a user has special characters in either their group or project name and clicks on the 'Registry' section of their project, they will receive a 500 error and no explanation why. And, if a user has a branch name that includes special characters and attempts to build an image from GitLab's CI/CD product, it also fails on connection.
The root cause of this is that we validate registry paths against a Docker Distribution repository path regexp. And the below special characters result in an invalid path.
- Leading underscore
- Trailing hyphen/dash
- Double hyphen/dash
Intended users
Although Developers are the main focus of this issue, this impacts reporters as well, as they have permission to view the Registry and will receive an unexplained 500 error when trying to navigate to the Container Registry.
Proposal
Warn users when they attempt to create a group, project or branch name with the below special characters, that doing so will prevent them from using the Container Registry.
- A leading underscore:
_myproject - A trailing hyphen or dash:
myproject- - A double hyphen or dash:
my--project
Copy:
Please note, that using any of the below special characters will prevent you from using the GitLab Container Registry. For more help, please view the Container Registry documentation
- A leading underscore:
_myproject - A trailing hyphen or dash:
myproject- - A double hyphen or dash:
my--project
Further details
https://gitlab.com/gitlab-org/gitlab-ce/issues/45104 addresses the problem for existing group/project/branch names by updating the error page to explain the possible error and pointing the users to documentation on how to fix the issue. This issue, aims to minimize future occurrences of the issue, by alerting users further upstream.
Permissions and Security
There are no permissions issues that are related to this.
Documentation
Since this change impacts project/group and branch creation, we must update the documentation for each of those steps. We can add a note to each section, explaining that use of the above special characters will prevent them from using the Container Registry.
Testing
- This change impacts project, group and branch creation. We must ensure that there are no breaking changes introduced.
What does success look like, and how can we measure that?
Success looks like any user that is creating a project, group or branch is aware that using any special characters could prevent them from using the Container Registry.
Future Consideration
CLI Project/Group/Branch creation
- Currently if a user attempts to create a project from the command line with a reserved project name we return the below error. In the future, we will need to return a more helpful error message and will include messaging about special characters.
fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
- We currently allow administrators to set push rules for restricting branch names at the instance level, using regular expression. Another future change could be to set default push rules that prevent naming projects with special characters.
API Project/Group/Branch creation
- We allow administrators to create, edit and fork projects and enforce reserved project names. We need to update to exclude special characters and update the response code to add a detailed message.
- We allow administrators to create, edit and transfer groups and do not have any current naming restrictions.
- We allow administrators to create branches and follow any push rules set at the instance level.
LDAP Group creation
- Administrators may create, transfer and update the path for groups without restriction.
Links / references
Sentry: https://sentry.gitlab.net/gitlab/gitlabcom/issues/142564/