Automatic merge of gitlab-org/gitlab-ce master

dd2c1977 · GitLab Bot · c21bea5d · 8fd407be · dd2c1977 · dd2c1977
Commit dd2c1977 authored Mar 19, 2019 by GitLab Bot
3 changed files
--- a/app/controllers/projects/git_http_controller.rb
+++ b/app/controllers/projects/git_http_controller.rb
@@ -4,6 +4,7 @@ class Projects::GitHttpController < Projects::GitHttpClientController
  include WorkhorseRequest

  before_action :access_check
+  prepend_before_action :deny_head_requests, only: [:info_refs]

  rescue_from Gitlab::GitAccess::UnauthorizedError, with: :render_403
  rescue_from Gitlab::GitAccess::NotFoundError, with: :render_404
@@ -32,6 +33,10 @@ class Projects::GitHttpController < Projects::GitHttpClientController

  private

+  def deny_head_requests
+    head :forbidden if request.head?
+  end
+
  def download_request?
    upload_pack?
  end

--- a/changelogs/unreleased/sh-reject-info-refs-head-requests.yml
+++ b/changelogs/unreleased/sh-reject-info-refs-head-requests.yml
+---
+title: Reject HEAD requests to info/refs endpoint
+merge_request: 26334
+author:
+type: fixed
--- a/spec/controllers/projects/git_http_controller_spec.rb
+++ b/spec/controllers/projects/git_http_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Projects::GitHttpController do
+  describe 'HEAD #info_refs' do
+    it 'returns 403' do
+      project = create(:project, :public, :repository)
+
+      head :info_refs, params: { namespace_id: project.namespace.to_param, project_id: project.path + '.git' }
+
+      expect(response.status).to eq(403)
+    end
+  end
+end