Remove existence check from ProjectUrlConstrainer

Review changes
Download
Patches
Plain diff

Heinrich Lee Yu requested to merge 35289-remove-existence-check-in-url-constrainer into master Oct 31, 2019

Overview 26
Commits 5
Pipelines 15
Changes 28

What does this MR do?

This was causing non-existent projects to fall back to our wildcard not found route which then behaves differently for repository ref paths.

For repository ref paths like blobs, we ignore the format in the URL because these are rendered as HTML. But when it falls back to the not found route, the format is parsed causing Devise to use the wrong status code for unauthenticated requests.

With this change, valid URLs whether the project exists or not will be handled by the same controller so that behavior will be the same.

Only paths that have invalid project paths would fall back to the wildcard catch-all route.

First commit is a revert of the security fix. This is not needed because this should also fix the security issue.

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Changelog entry
Documentation created/updated or follow-up review issue created
Code review guidelines
Merge request performance guidelines
Style guides
Database guides
Separation of EE specific content

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Tested in all supported browsers

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

#35289

Edited Oct 31, 2019 by Heinrich Lee Yu

Merge request reports

Assignee

Select assignees

Reviewers

Request review from

Time tracking