Skip to content

Avoid resource intensive login checks if password is not provided for git http

Summary

Every git http request without/empty password is checking for password validity.

Steps to reproduce

  1. Create new repository as not public (internal or private)
  2. Clone new repositoy using git http: git clone https://user@gitlab.example.com/test/repo.git

What is the current bug behavior?

The execution of a git fetch/clone command that requires authentication and no password is provided in URL is done as follows:

  1. Git CLI try to fetch/clone using the exact remote URL configuration
  2. Gitlab checks user and empty password for validity
  3. Gitlab answers HTTP 401
  4. Git CLI credential helper request password
  5. Git CLI try to fetch/clone using the exact remote URL configuration and password
  6. Gitlab checks user and password for validity
  7. Gitlab answers HTTP 200 or 401

What is the expected correct behavior?

Gitlab should not check the user and password for validity if password is nil/empty. The check will fail anyway and a DB request or even worse (i.e. LDAP) can be avoided.

Relevant logs and/or screenshots

Started GET "/test/repo.git/info/refs?service=git-upload-pack" for 10.128.2.1 at 2017-04-06 17:00:52 +0200
Processing by Projects::GitHttpController#info_refs as */*
  Parameters: {"service"=>"git-upload-pack", "namespace_id"=>"test", "project_id"=>"repo.git"}
Filter chain halted as :authenticate_user rendered or redirected
Completed 401 Unauthorized in 111ms (Views: 6.4ms | ActiveRecord: 10.1ms)
Started GET "/test/repo.git/info/refs?service=git-upload-pack" for 10.128.2.1 at 2017-04-06 17:00:52 +0200
Processing by Projects::GitHttpController#info_refs as */*
  Parameters: {"service"=>"git-upload-pack", "namespace_id"=>"test", "project_id"=>"repo.git"}
Completed 200 OK in 124ms (Views: 0.2ms | ActiveRecord: 13.8ms)
Started POST "/test/repo.git/git-upload-pack" for 10.128.2.1 at 2017-04-06 17:00:52 +0200
Processing by Projects::GitHttpController#git_upload_pack as application/x-git-upload-pack-result
  Parameters: {"namespace_id"=>"test", "project_id"=>"repo.git"}
Completed 200 OK in 118ms (Views: 0.2ms | ActiveRecord: 14.1ms)

Possible fixes

Avoid user/password validation is password is nil/empty and respond as not authorized.