PreAuthorize flow (and others?) follow HTTP redirects, rather than copying them to the client
reference: https://golang.org/pkg/net/http https://gitlab.com/gitlab-org/gitlab-workhorse/blob/master/internal/api/api.go#L60
When doing a PreAuthorize request to check whether an action (like git-http) is permitted, we use a fairly simple net/http.Client
, with a default transport. This is currently set up to follow redirects, but the correct action is actually to process the 3xx response ourselves, and probably to return it to the client.
If the redirect is to a https
URL. we get the following sentry errors: https://gitlab.com/gitlab-org/gitlab-ce/issues/28613#note_24095979
Fixing this should just be a matter of setting CheckRedirect
to a function that always returns false, and auditing for any other cases that need it.