GitLab crashes if X509 signature subject attribute length is more than 512 characters.
Summary
We use X509 certificates, but it seems that subject
field of X509Certificate
has a limit of 255 characters.
Example of subject we have:
E = krasovsky@sovcombank.ru
CN = Длинное Кириллическое Имя
OU = Длинное имя отдела
OU = Длинное имя департамента
OU = City
OU = State
OU = Users
OU = SCB
DC = sovcombank
DC = group
Steps to reproduce
- Create an X509 certificate with large UTF-8 subject attribute.
- Sign and push commit.
- Go to project and observe the bug.
Example Project
Will add example later.
What is the current bug behavior?
X509 signatures don't load.
What is the expected correct behavior?
Signatures should load successfully.
Relevant logs and/or screenshots
Output of checks
irb(main):005:0> signature.x509_certificate.nil?
Traceback (most recent call last):
16: from lib/gitlab/database/load_balancing/load_balancer.rb:184:in `retry_with_backoff'
15: from lib/gitlab/database/load_balancing/load_balancer.rb:115:in `block in read_write'
14: from lib/gitlab/database/load_balancing/connection_proxy.rb:120:in `block in write_using_load_balancer'
13: from app/models/application_record.rb:86:in `block in safe_find_or_create_by'
12: from lib/gitlab/database/load_balancing/connection_proxy.rb:71:in `transaction'
11: from lib/gitlab/database/load_balancing/connection_proxy.rb:119:in `write_using_load_balancer'
10: from lib/gitlab/database/load_balancing/load_balancer.rb:111:in `read_write'
9: from lib/gitlab/database/load_balancing/load_balancer.rb:184:in `retry_with_backoff'
8: from lib/gitlab/database/load_balancing/load_balancer.rb:115:in `block in read_write'
7: from lib/gitlab/database/load_balancing/connection_proxy.rb:120:in `block in write_using_load_balancer'
6: from lib/gitlab/database/load_balancing/connection_proxy.rb:61:in `block (2 levels) in <class:ConnectionProxy>'
5: from lib/gitlab/database/load_balancing/connection_proxy.rb:119:in `write_using_load_balancer'
4: from lib/gitlab/database/load_balancing/load_balancer.rb:111:in `read_write'
3: from lib/gitlab/database/load_balancing/load_balancer.rb:184:in `retry_with_backoff'
2: from lib/gitlab/database/load_balancing/load_balancer.rb:115:in `block in read_write'
1: from lib/gitlab/database/load_balancing/connection_proxy.rb:120:in `block in write_using_load_balancer'
ActiveRecord::ValueTooLong (PG::StringDataRightTruncation: ERROR: value too long for type character varying(255))
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Current User: git Using RVM: no Ruby Version: 2.7.5p203 Gem Version: 3.1.4 Bundler Version:2.3.15 Rake Version: 13.0.6 Redis Version: 6.2.7 Sidekiq Version:6.4.0 Go Version: unknown GitLab information Version: 15.2.2 Revision: 4ecb014a935 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 12.10 URL: https://gitlab.example.com HTTP Clone URL: https://gitlab.example.com/some-group/some-project.git SSH Clone URL: git@gitlab.example.com:some-group/some-project.git Using LDAP: yes Using Omniauth: yes Omniauth Providers: oauth2_generic GitLab Shell Version: 14.9.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.9.0 ? ... OK (14.9.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain not verifying SSL hostname of LDAPS server 'ldapauth.example.com:389' LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 100 users of 100 limit.
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... 3/4 ... yes 5/7 ... yes 13/9 ... yes ... Redis version >= 6.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.5) Git user has default SSH configuration? ... yes Active users: ... 2506 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
We need to increase Postgres character varying limit from 255 to 511 or even more. Probably new migration will enough.