Skip to content

Gitlab::Git::CommandError `13:cannot skip to offset: offset 40 is invalid` should be a client error

Summary

While looking at a mysterious increase in web error rates, we noticed, that some requests caused a Gitlab::Git::CommandError with the message 13:cannot skip to offset: offset 40 is invalid: <nil>. to be reported as HTTP 500. Matching requests can be found here internal.

In our understanding, since the offset is user-provided, this should be reported as an HTTP 400-class error.

Marked as confidential for now, as I am not sure if this could be an attack vector.

Steps to reproduce

The specific error seems to be caused by sending this payload (json.params in the logs) to the project's endpoint at https://gitlab.com/<namespace>/<project>/-/commits/master.

{
  "key": "limit",
  "value": "40"
},
{
  "key": "offset",
  "value": "40"
},
{
  "key": "namespace_id",
  "value": "<namespace>"
},
{
  "key": "project_id",
  "value": "<project>"
},
{
  "key": "id",
  "value": "master"
}

Example Project

What is the current bug behavior?

Gitlab::Git::CommandError with the message 13:cannot skip to offset: offset 40 is invalid: <nil>. is reported as HTTP 500.

What is the expected correct behavior?

Gitlab::Git::CommandError with the message 13:cannot skip to offset: offset 40 is invalid: <nil>. is reported as HTTP 4XX.

Relevant logs and/or screenshots

Matching requests can be found here internal.

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes