Commits · 45c8479472c15acea7e5c30570e5e9fc99032ad8 · nexedi / gitlab-workhorse

04 Jun, 2020 5 commits

Merge branch 'backport-sendgrid-fixes-8-30' into '8-30-stable' · 45c84794
Nick Thomas authored Jun 04, 2020
```
Backport sendgrid fixes to 8-30-stable branch

See merge request gitlab-org/gitlab-workhorse!519
```
45c84794

Test the behaviour of SendURL with less-common upstreams · bd42e919

Nick Thomas authored May 27, 2020

Two cases in particular, lacking a `Content-Type`,  gave us trouble:

* Transfer-Encoding: chunked
* No content-type and no transfer-encoding

Both of these are permitted by the HTTP RFC (cases 3 and 7), and we
can talk to arbitrary HTTP servers via sendurl, so it's imperative that
we handle them correctly. This commit adds tests for both cases.

Responses of the latter type are transparently converted to responses
of the former type. This is an automatic behaviour of the Go stdlib,
which doesn't really support making the second type of response
directly. Since Transfer-Encoding is a hop-by-hop header, this type of
encoding is extremely common, and we're still streaming, instead of
accumulating, the data, I think this is acceptable.

bd42e919

Fix Content-Length set prior to SendUrl injection · 05bf7368
Georges-Etienne Legendre authored May 25, 2020

05bf7368
Disable compression for openHttpArchive · d1a7eb5d
Georges-Etienne Legendre authored May 28, 2020

d1a7eb5d
Add test for reading artifact zips over HTTP · 10f23d51
Jacob Vosmaer authored May 27, 2020

10f23d51

26 May, 2020 2 commits
- Release v8.30.2 · a6e22900
  Nick Thomas authored May 26, 2020
  
  a6e22900
- Merge branch 'security/gb/fix-zip-metadata-resources-8-30' into '8-30-stable' · d238dde7
  Nick Thomas authored May 26, 2020
```
Limit resources when processing artifacts metadata

See merge request gitlab-org/security/gitlab-workhorse!15
```
  d238dde7
22 May, 2020 1 commit
- Limit memory footprint of artifacts metadata processing · bb5352ec
  Grzegorz Bizon authored Apr 10, 2020
  
  bb5352ec
30 Apr, 2020 1 commit
- Merge branch '8-30-stable' of gitlab.com:gitlab-org/security/gitlab-workhorse into 8-30-stable · 9e79e5ba
  Robert Speicher authored Apr 30, 2020
  
  9e79e5ba
07 Apr, 2020 3 commits

Merge branch 'security/gitlab-issue-213139-8-30' into '8-30-stable' · d0573443
Nick Thomas authored Apr 07, 2020
```
Sign artifact multipart fields in Workhorse

See merge request gitlab-org/security/gitlab-workhorse!12
```
d0573443
Release v8.30.1 · f23c1f88
Nick Thomas authored Apr 07, 2020

f23c1f88

Sign artifact multipart fields in Workhorse · 8800a891

Stan Hu authored Apr 06, 2020

This adds the `Gitlab-Workhorse-Multipart-Fields` HTTP header, which
contains a list of signed multipart keys, for the CI artifacts upload
endpoints. This is already done for multipart attachments but was
not done for the the CI artifacts case.

Without this header, Rails can't guarantee that the file attachments
were validated by Workhorse.

This is the Workhorse part of the solution for
https://gitlab.com/gitlab-org/gitlab/-/issues/213139. This needs to be
used by Rails:
https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/403

8800a891

04 Apr, 2020 2 commits
- Merge branch 'release-8-30' into 'master' · 0b04008c
  Nick Thomas authored Apr 04, 2020
```
Release v8.30.0

See merge request gitlab-org/gitlab-workhorse!483
```
  0b04008c
- Release v8.30.0 · fe6a6873
  Nick Thomas authored Apr 04, 2020
  
  fe6a6873
03 Apr, 2020 3 commits
- Merge branch 'proxy-actioncable-ws-route' into 'master' · 866610fa
  Nick Thomas authored Apr 03, 2020
```
Proxy ActionCable websocket connection

See merge request gitlab-org/gitlab-workhorse!454
```
  866610fa
- Add integration test for cable backend · 99d40e17
  Heinrich Lee Yu authored Mar 28, 2020
```
Tests a single backend setup and a separate cable backend setup
```
  99d40e17
- Merge branch 'add-missing-changelog-entry' into 'master' · 73d42cb5
  Alessio Caiazza authored Apr 03, 2020
```
Add a missing CHANGELOG entry

See merge request gitlab-org/gitlab-workhorse!481
```
  73d42cb5
02 Apr, 2020 3 commits
- Update docs in README · 509d9b4b
  Heinrich Lee Yu authored Mar 27, 2020
  
  509d9b4b
- Add options to configure ActionCable backend · 16b3047a
  Heinrich Lee Yu authored Mar 13, 2020
```
This is to support running the ActionCable server in a separate
process from the web server
```
  16b3047a
- Proxy ActionCable websocket connection · 2eb8d8fd
  Heinrich Lee Yu authored Jan 21, 2020
```
Had to use a simple proxy because the other ResponseWriter
wrappers do not support HiJack and we don't need those for
this route anyway
```
  2eb8d8fd
01 Apr, 2020 1 commit
- Add a missing CHANGELOG entry · 5a042d0e
  Nick Thomas authored Apr 01, 2020
  
  5a042d0e
31 Mar, 2020 3 commits
- Merge branch 'release-workhorse-8-29' into 'master' · c961c60b
  Nick Thomas authored Mar 31, 2020
```
Release Workhorse v8.29.0

See merge request gitlab-org/gitlab-workhorse!480
```
  c961c60b
- Release Workhorse v8.29.0 · 32c70229
  Nick Thomas authored Mar 31, 2020
  
  32c70229
- Merge branch 'osw-bump-labkit-version' into 'master' · 359c34ac
  Nick Thomas authored Mar 31, 2020
```
Bump Labkit version to support profiler sample versioning

See merge request gitlab-org/gitlab-workhorse!479
```
  359c34ac
30 Mar, 2020 1 commit

Bump Labkit version · 837c5ae7

Oswaldo Ferreira authored Mar 30, 2020

This version bump refers to fac94cb42 in order to
support Go Continuous Profiling with versioning.

I.e. Workhorse will provide its build version to
the profiler and it'll be presented at the Stackdriver
Profiler UI.

837c5ae7

27 Mar, 2020 1 commit

Merge branch 'jv-simplify-ci' into 'master' · bd84afad

Nick Thomas authored Mar 27, 2020

CI: stop trying to rm -rf gitaly hooks in docker container

See merge request gitlab-org/gitlab-workhorse!477

bd84afad

26 Mar, 2020 1 commit
- Merge branch 'master' of dev.gitlab.org:gitlab/gitlab-workhorse · cf6337cd
  Robert Speicher authored Mar 26, 2020
  
  cf6337cd
25 Mar, 2020 1 commit
- CI: stop trying to rm -rf gitaly hooks in docker container · a289956d
  Jacob Vosmaer authored Mar 25, 2020
  
  a289956d
23 Mar, 2020 4 commits

Merge branch 'security-193100-ignore-duplicate-multipart-params' into 'master' · 7168c2e3
Alessio Caiazza authored Mar 23, 2020
```
Reject parameters that override upload fields

See merge request gitlab-org/security/gitlab-workhorse!3
```
7168c2e3
Release v8.28.0 · 3fbf8ef2
Alessio Caiazza authored Mar 23, 2020

3fbf8ef2

Reject parameters that override upload fields · 7c324521

Markus Koller authored Mar 04, 2020

When Workhorse intercepts file uploads, we store the files and send the
information about the temporary file in new multipart form values called
`file.path`, `file.size` etc.

Since we're also copying all other multipart form values from the
original client request, it was possible to override the values we
set in Workhorse, causing Rails to e.g. load the uploaded file from
an injected `file.path` parameter.

To avoid this, we check if client parameters have the same name as any
of our own added fields and reject the request.

7c324521

Always set internally used upload fields · 75a39b0b

Markus Koller authored Mar 06, 2020

The `path` and `remote_*` fields are not always set in Workhorse
depending on the storage type, but still picked up in Rails.

To avoid injecting any client params with the same name, we just set
these fields to empty strings.

75a39b0b

20 Mar, 2020 4 commits
- Merge branch '250-pypi-object-storage-upload-route-for-package-files-2' into 'master' · 3f55999a
  Nick Thomas authored Mar 20, 2020
```
Resolve "PyPi - Object storage upload route for package files"

See merge request gitlab-org/gitlab-workhorse!474
```
  3f55999a
- Merge branch 'release-8-27' into 'master' · a6556ddd
  Jacob Vosmaer authored Mar 20, 2020
```
Release v8.27.0

See merge request gitlab-org/gitlab-workhorse!476
```
  a6556ddd
- Release v8.27.0 · 211fe633
  Ahmad Sherif authored Mar 20, 2020
  
  211fe633
- Merge branch 'delete-set-cookie-header-from-archive-raw-blob' into 'master' · 91bcaaef
  Jacob Vosmaer authored Mar 20, 2020
```
Remove Set-Cookie header from archive and raw blob responses

See merge request gitlab-org/gitlab-workhorse!475
```
  91bcaaef
19 Mar, 2020 1 commit

Remove Set-Cookie header from archive and raw blob responses · 9672e1fe

Ahmad Sherif authored Mar 18, 2020

CDNs don't cache responses with Set-Cookie header as they assume they
contain some sort of state or user-specific data, which is not the case for
raw blobs and repository archives.

This change allows GitLab installations that sit behind a CDN to benefit from its
caching feature seamlessly.

Related to https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/6829
and https://gitlab.com/gitlab-com/gl-infra/scalability/-/issues/4

9672e1fe

17 Mar, 2020 3 commits
- Corrected mismatch between route and tests · d615e14d
  Daniel Croft authored Mar 17, 2020
  
  d615e14d
- Correct verb and path for PyPI test case. · c96dd042
  Daniel Croft authored Mar 17, 2020
  
  c96dd042
- Added route for PyPI as well as test case. · 33353759
  Daniel Croft authored Mar 17, 2020
  
  33353759