Export vulnerabilities to CSV does not work when Gitlab is mounted on relative URL
Summary
When Gitlab is mounted on a relative url such as http://gitlab.test:8080/relative
, Export to CSV
feature doesn't work from vulnerability report page.
More context here.
Steps to reproduce
- Host Gitlab application on a relative url. https://docs.gitlab.com/ee/install/relative_url.html
- Go to a project's vulnerability report with a few vulnerabilities.
- Click on export to csv button
Example Project
What is the current bug behavior?
Error exporting vulnerabilities. The Api throws a 404.
What is the expected correct behavior?
Export should be successful.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Currently the vulnerabilitiesExportEndpoint
used by CsvExportButton
does not include the relative aspect of the host url.
pry(main)> app.api_v4_security_projects_vulnerability_exports_path(id: 46)
=> "/api/v4/security/projects/46/vulnerability_exports"
Therefore calling expose_path
when setting vulnerabilities_export_endpoint
ensures that the relative aspect of the host url is considered.
pry(main)> expose_path(app.api_v4_security_projects_vulnerability_exports_path(id: 46))
=> "/gitlab/api/v4/security/projects/46/vulnerability_exports"
When running the above in console the following modules are required: (1) API::Helpers::RelatedResourcesHelpers
, (2) GrapePathHelpers::NamedRouteMatcher
and (3) include Rails.application.routes.url_helpers
.
This example is reproducible in GDK by following these steps. My local instance also required running gdk reconfigure
.
-
backend Add expose_path
when settingvulnerabilities_export_endpoint
in the helper method.
Draft MR with the fix: !106316 (merged)
Verification steps
-
Check the result of the test
Govern Vulnerability report in a project can export vulnerability report to csv
for relative url as shown here.