Pagination for Branches and Tags can be skipped
Problem
!92624 (merged) introduced an option to skip pagination for tree API. However, Gitlab::Pagination::GitalyKeysetPager
is used for branches and tags as well. Unintentionally, pagination=none
can also work for these endpoints. That can lead to a potential abuse (like DoS attack).
Solution
Make sure that pagination=none
applied only to TreeFinder. The code with the vulnerability.
Reproduction steps
Trying to set per_page > 100
, API returns only 100 elements
curl --silent http://127.0.0.1:3000/api/v4/projects/2/repository/branches\?per_page\=200 | jq length
100
But with pagination=none
, API returns everything.
curl --silent http://127.0.0.1:3000/api/v4/projects/2/repository/branches\?pagination\=none | jq length
126