diff options
-rw-r--r-- | app/controllers/projects/git_http_controller.rb | 5 | ||||
-rw-r--r-- | changelogs/unreleased/sh-reject-info-refs-head-requests.yml | 5 | ||||
-rw-r--r-- | spec/controllers/projects/git_http_controller_spec.rb | 15 |
3 files changed, 25 insertions, 0 deletions
diff --git a/app/controllers/projects/git_http_controller.rb b/app/controllers/projects/git_http_controller.rb index 0c5328fc941..f28af42d1b7 100644 --- a/app/controllers/projects/git_http_controller.rb +++ b/app/controllers/projects/git_http_controller.rb @@ -4,6 +4,7 @@ class Projects::GitHttpController < Projects::GitHttpClientController include WorkhorseRequest before_action :access_check + prepend_before_action :deny_head_requests, only: [:info_refs] rescue_from Gitlab::GitAccess::UnauthorizedError, with: :render_403 rescue_from Gitlab::GitAccess::NotFoundError, with: :render_404 @@ -32,6 +33,10 @@ class Projects::GitHttpController < Projects::GitHttpClientController private + def deny_head_requests + head :forbidden if request.head? + end + def download_request? upload_pack? end diff --git a/changelogs/unreleased/sh-reject-info-refs-head-requests.yml b/changelogs/unreleased/sh-reject-info-refs-head-requests.yml new file mode 100644 index 00000000000..0dca18e2fd8 --- /dev/null +++ b/changelogs/unreleased/sh-reject-info-refs-head-requests.yml @@ -0,0 +1,5 @@ +--- +title: Reject HEAD requests to info/refs endpoint +merge_request: 26334 +author: +type: fixed diff --git a/spec/controllers/projects/git_http_controller_spec.rb b/spec/controllers/projects/git_http_controller_spec.rb new file mode 100644 index 00000000000..bf099e8deeb --- /dev/null +++ b/spec/controllers/projects/git_http_controller_spec.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Projects::GitHttpController do + describe 'HEAD #info_refs' do + it 'returns 403' do + project = create(:project, :public, :repository) + + head :info_refs, params: { namespace_id: project.namespace.to_param, project_id: project.path + '.git' } + + expect(response.status).to eq(403) + end + end +end |