Skip to content

HTTP referral links returned on get issue with API via HTTPS

Summary

Links returned as _links in a response to a getting isssue via an API use HTTP protocol even if the API itself was called via HTTPS. It can lead to unsafe connections if the links are used automatically by automated tools.

Steps to reproduce

Request:

curl --header "PRIVATE-TOKEN: XXX" -X POST "https://gitlab.com/api/v4/projects/13083/issues/37190"

Response

{
  "id": 6603017,
  "iid": 37190,
  "project_id": 13083,
  "title": "HTTP referral links returned on get issue with API via HTTPS",
  "description": "### Summary\n\nLinks returned as `_links` in a response to a getting isssue via an API use HTTP protocol even if the API itself was called via HTTPS. It can lead to unsafe connections if the links are used automatically by automated tools.\n\n### Steps to reproduce\n\nRequest:\n```\ncurl --header \\\"PRIVATE-TOKEN: XXX\\\" -X POST \\\"https://gitlab.com/api/v4/projects?name=test1&namespace_id=YYY\\\"\n```\nResponse\n```\n\n```\n\n### Example Project\n\n(If possible, please create an example project here on GitLab.com that exhibits the problematic behaviour, and link to it here in the bug report)\n\n(If you are using an older version of GitLab, this will also determine whether the bug has been fixed in a more recent version)\n\n### What is the current *bug* behavior?\n\nHTTP is used in the links returned in the `_links` array.\n\n### What is the expected *correct* behavior?\n\nAll links returned in the response should use the same protocol as the one use to connect via API.\n\n### Additional \n\nTested with the gitlab.com API and gitlab-ce API. \n\n### Possible fixes\n\n!13886",
  "state": "opened",
  "created_at": "2017-08-29T12:41:10.579Z",
  "updated_at": "2017-08-29T12:41:10.579Z",
  "labels": [],
  "milestone": null,
  "assignees": [],
  "author": {
    "name": "EmilienMottet",
    "username": "EmilienMottet",
    "id": 328296,
    "state": "active",
    "avatar_url": "https://secure.gravatar.com/avatar/9ed867b7afbf3efa011d0e7d7491731f?s=80&d=identicon",
    "web_url": "https://gitlab.com/EmilienMottet"
  },
  "assignee": null,
  "user_notes_count": 0,
  "upvotes": 0,
  "downvotes": 0,
  "due_date": null,
  "confidential": false,
  "weight": null,
  "web_url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/37190",
  "_links": {
    "self": "http://gitlab.com/api/v4/projects/13083/issues/37190",
    "notes": "http://gitlab.com/api/v4/projects/13083/issues/37190/notes",
    "award_emoji": "http://gitlab.com/api/v4/projects/13083/issues/37190/award_emoji",
    "project": "http://gitlab.com/api/v4/projects/13083"
  },
  "subscribed": true
}

What is the current bug behavior?

HTTP is used in the links returned in the _links array.

What is the expected correct behavior?

All links returned in the response should use the same protocol as the one use to connect via API.

Additional

This bug is similar to this one #36989

Tested with the gitlab.com API and gitlab-ce API.

Possible fixes

!13886

Edited by username-removed-328296