Merge branch 'ag-block-git-push-when-read-only' into 'master'

Block git push over HTTP when database is in read-only mode See merge request gitlab-org/gitlab!47673

Merge branch 'ag-block-git-push-when-read-only' into 'master'
Block git push over HTTP when database is in read-only mode See merge request gitlab-org/gitlab!47673
11a52f73 · Michael Kozono · 2025e7da · 805e9886 · 11a52f73 · 11a52f73
Commit 11a52f73 authored Nov 16, 2020 by Michael Kozono
5 changed files
--- a/ee/changelogs/unreleased/ag-block-git-push-when-read-only.yml
+++ b/ee/changelogs/unreleased/ag-block-git-push-when-read-only.yml
+---
+title: Block git push over HTTP when database is read-only
+merge_request: 47673
+author:
+type: changed
--- a/ee/lib/ee/gitlab/middleware/read_only/controller.rb
+++ b/ee/lib/ee/gitlab/middleware/read_only/controller.rb
@@ -16,11 +16,15 @@ module EE
            'admin/geo/uploads' => %w{destroy}
          }.freeze
+          ALLOWLISTED_GIT_WRITE_ROUTES = {
+            'repositories/git_http' => %w{git_receive_pack}
+          }.freeze
          private
          override :allowlisted_routes
          def allowlisted_routes
-            super || geo_node_update_route? || geo_proxy_git_ssh_route? || geo_api_route?
+            super || geo_node_update_route? || geo_proxy_git_ssh_route? || geo_api_route? || geo_proxy_git_http_route?
          end
          def geo_node_update_route?
@@ -43,6 +47,12 @@ module EE
            end
          end
+          def geo_proxy_git_http_route?
+            return unless request.path.end_with?('.git/git-receive-pack')
+            ALLOWLISTED_GIT_WRITE_ROUTES[route_hash[:controller]]&.include?(route_hash[:action])
+          end
          def geo_api_route?
            ::Gitlab::Middleware::ReadOnly::API_VERSIONS.any? do |version|
              request.path.include?("/api/v#{version}/geo_replication")

--- a/ee/spec/support/shared_examples/lib/gitlab/middleware/read_only_gitlab_ee_instance_shared_examples.rb
+++ b/ee/spec/support/shared_examples/lib/gitlab/middleware/read_only_gitlab_ee_instance_shared_examples.rb
@@ -43,5 +43,12 @@ RSpec.shared_examples 'write access for a read-only GitLab (EE) instance' do
      expect(response).not_to be_redirect
      expect(subject).not_to disallow_request
    end
+    it 'expects a POST request to git-receive-pack URL to be allowed' do
+      response = request.post('/root/rouge.git/git-receive-pack')
+      expect(response).not_to be_redirect
+      expect(subject).not_to disallow_request
+    end
  end
 end
--- a/lib/gitlab/middleware/read_only/controller.rb
+++ b/lib/gitlab/middleware/read_only/controller.rb
@@ -10,7 +10,7 @@ module Gitlab
        ERROR_MESSAGE = 'You cannot perform write operations on a read-only instance'
        ALLOWLISTED_GIT_ROUTES = {
-          'repositories/git_http' => %w{git_upload_pack git_receive_pack}
+          'repositories/git_http' => %w{git_upload_pack}
        }.freeze
        ALLOWLISTED_GIT_LFS_ROUTES = {
@@ -96,7 +96,7 @@ module Gitlab
        def workhorse_passthrough_route?
          # Calling route_hash may be expensive. Only do it if we think there's a possible match
          return false unless request.post? &&
-            request.path.end_with?('.git/git-upload-pack', '.git/git-receive-pack')
+            request.path.end_with?('.git/git-upload-pack')
          ALLOWLISTED_GIT_ROUTES[route_hash[:controller]]&.include?(route_hash[:action])
        end

--- a/spec/support/shared_examples/lib/gitlab/middleware/read_only_gitlab_instance_shared_examples.rb
+++ b/spec/support/shared_examples/lib/gitlab/middleware/read_only_gitlab_instance_shared_examples.rb
@@ -128,7 +128,6 @@ RSpec.shared_examples 'write access for a read-only GitLab instance' do
        'LFS request to locks create' | '/root/rouge.git/info/lfs/locks'
        'LFS request to locks unlock' | '/root/rouge.git/info/lfs/locks/1/unlock'
        'request to git-upload-pack'  | '/root/rouge.git/git-upload-pack'
-        'request to git-receive-pack' | '/root/rouge.git/git-receive-pack'
      end
      with_them do