File upload API for gitlab.com breaks when URL contains duplicate slashes, while other endpoints will work just fine

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

When attempting to send POST /api/v4/projects/:id/uploads request with duplicate slashes, ie. https://gitlab.com/api/v4//projects/123/uploads, Cloudflare responds with HTTP status 520: web server returns an unknown error. I guess that self-managed instance will also respond in a weird way. The problematic part is the fact, that all other APIs will handle double slash with no issues, so it's hard to guess that URL might be the problem when other endpoints work fine. It took me a lot of time to spot the duplicate slash because of that.

Steps to reproduce

1. Setup project for GitLab SaaS.
2. Send file upload request with duplicate slash in URL:

   curl 
     --request POST \
     --header "PRIVATE-TOKEN: <your_access_token>" \
     --form "file=@dk.png" "https://gitlab.com/api/v4//projects/5/uploads" \
     -v

3. Cloudflare will return HTTP status 520 with empty body (visible with -v).

What is the current bug behavior?

Server responds with error without any indication what's wrong, while all other API endpoints work fine when URL is malformed by double slashes.

What is the expected correct behavior?

Like all other APIs, double slash should be ignored or server should return better error status: 404 or 500 indicating that URL is malformed.

Relevant logs and/or screenshots

Request and response from cURL (irrelevant parts are ommited):

> POST /api/v4//projects/<project_id>/uploads HTTP/2
> Host: gitlab.com
> User-Agent: curl/7.58.0
> Accept: */*
> PRIVATE-TOKEN: <your_access_token>
> Content-Length: 1372164
> Content-Type: multipart/form-data; boundary=------------------------09cb77fc5f6fbb8d

< HTTP/2 520
< date: Tue, 20 Sep 2022 11:20:59 GMT
< content-length: 0
< cache-control: no-store, no-cache
< cf-cache-status: DYNAMIC
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LZI5OOUL%2FAH0VpoelDiv631f5li7CjcETRZGyeOEsBKS%2F7fkfSt3Ozcm1pHq4lHcm%2BMjwhs0L2nDmaIt0BRk2VIzRRgKtaWwdc60B1mRyGU0hIZNl%2Fr0ZLPDk00%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=31536000
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: 74da2cc95c5cc01c-WAW
* HTTP error before end of send, stop sending

Output of checks

This bug happens on GitLab.com

Possible fixes

I can just assume that code responsible for reading multipart/form-data might be responsible, maybe it throws an exception that is not handled. I had some similar problems in ASP.NET when my custom request data binding would skip generic exception handling, because it runs before any endpoint code.