Document crashing bug in curl < 7.73 with https proxies and no_proxy/https_proxy set

Summary

There is a crashing bug in Curl < 7.73 where git-remote-http will segfault when both NO_PROXY and HTTPS_PROXY are present and an https protocol URL is used for the proxy.

GitLab Runner Failure Case

For systems with an affected libcurl setting the environment for the gitlab-runner.service in /etc/systemd/system/gitlab-runner.service.d/http-proxy.conf with:

[Service]
Environment="HTTP_PROXY=https://proxyhost.domain:proxyport/"
Environment="HTTPS_PROXY=https://proxyhost.domain:proxyport/"
Environment="NO_PROXY=.domain"

You will notice that jobs fail immediately during the clone, as if git was not respecting the NO_PROXY setting:

Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /home/gitlab-runner/builds/<token>/0/project/.git/
Cleaning up file based variables
00:00
ERROR: Job failed: exit status 1

Adding:

variables:
  GIT_TRACE: "1"
  GIT_TRACE_PERFORMANCE: "1"
  GIT_CURL_VERBOSE: "1"

pinpointed the failure point:

Cloning into 'project'...
18:19:46.177289 http.c:756              == Info: Couldn't find host <hostname> in the .netrc file; using defaults
18:19:46.270151 http.c:756              == Info:   Trying <IP>...
18:19:46.270175 http.c:756              == Info: TCP_NODELAY set
18:19:46.271333 http.c:756              == Info: Connected to <hostname> (<IP>) port 443 (#0)
18:19:46.272212 http.c:756              == Info: ALPN, offering http/1.1

Additionally a segfault was observed in the system log.

Steps To Reproduce

Ubuntu 20.04/18.04:

Outside of GitLab Runner:

$ GIT_CURL_VERBOSE=1 NO_PROXY=gitlab.com HTTPS_PROXY=https://gitlab.com /opt/gitlab/embedded/bin/git clone https://gitlab.com/gitlab-examples/lfs.git
Cloning into 'lfs'...
20:46:26.535827 http.c:756              == Info: Couldn't find host gitlab.com in the .netrc file; using defaults
20:46:26.538605 http.c:756              == Info:   Trying 172.65.251.78...
20:46:26.538662 http.c:756              == Info: TCP_NODELAY set
20:46:26.590549 http.c:756              == Info: Connected to gitlab.com (172.65.251.78) port 443 (#0)
20:46:26.591960 http.c:756              == Info: ALPN, offering http/1.1
error: git-remote-https died of signal 11

/var/log/syslog

Dec 30 20:46:14 gitlab kernel: [1405790.403813] git-remote-http[3477151]: segfault at 0 ip 00007f6c01fb4675 sp 00007ffc4e92ec28 error 4 in libc-2.31.so[7f6c01e4e000+178000]

See Also

See also omnibus-gitlab#5896 (closed)

Ticket

Ticket: 184572

Agent: Jason Young

Edited by Jason Young