Skip to content

Pagination for Branches and Tags can be skipped

Problem

!92624 (merged) introduced an option to skip pagination for tree API. However, Gitlab::Pagination::GitalyKeysetPager is used for branches and tags as well. Unintentionally, pagination=none can also work for these endpoints. That can lead to a potential abuse (like DoS attack).

Solution

Make sure that pagination=none applied only to TreeFinder. The code with the vulnerability.

Reproduction steps

Trying to set per_page > 100, API returns only 100 elements

curl --silent http://127.0.0.1:3000/api/v4/projects/2/repository/branches\?per_page\=200 | jq length
100

But with pagination=none, API returns everything.

curl --silent http://127.0.0.1:3000/api/v4/projects/2/repository/branches\?pagination\=none | jq length
126