Fix 500 error for calls without JWT token to Git http (!112156) · Merge requests · GitLab.org / GitLab

Vasilii Iakliushin requested to merge 391771_return_forbidden_error_for_internal_api into master Feb 16, 2023

What does this MR do and why?

Sentry error: https://new-sentry.gitlab.net/organizations/gitlab/issues/6950

Problem

GitHttpController is used by Workhorse to verify Git requests for HTTP protocol. However, it's also possible to send a direct request to this controller. But the controller is protected by JWT authentication. All direct requests will raise a JWT token exception. This exception is not handled and raises a 500 error.

Solution

Add a handler for JWT decode errors and return a Forbidden (403 error).

How to set up and validate locally

curl -XPOST -H "Authorization: Bearer <YOUR_TOKEN>" http://127.0.0.1:3000/gitlab-org/gitlab-test.git/git-upload-pack

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Feb 16, 2023 by Vasilii Iakliushin

Fix 500 error for calls without JWT token to Git http

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports