Reject HEAD requests to info/refs endpoint

In production, we see high error rates due to clients attempting to use
the dumb Git HTTP protocol with HEAD /foo/bar.git/info/refs
endpoint. This isn't supported and causes Error 500s because Workhorse
doesn't send along its secret because it's not proxying this request.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54579

app/controllers/projects/git_http_controller.rb

@@ -4,6 +4,7 @@ class Projects::GitHttpController < Projects::GitHttpClientController
   include WorkhorseRequest
 
   before_action :access_check
+  prepend_before_action :deny_head_requests, only: [:info_refs]
 
   rescue_from Gitlab::GitAccess::UnauthorizedError, with: :render_403
   rescue_from Gitlab::GitAccess::NotFoundError, with: :render_404
@@ -32,6 +33,10 @@ class Projects::GitHttpController < Projects::GitHttpClientController
 
   private
 
+  def deny_head_requests
+    head :forbidden if request.head?
+  end
+
   def download_request?
     upload_pack?
   end

changelogs/unreleased/sh-reject-info-refs-head-requests.yml

+---
+title: Reject HEAD requests to info/refs endpoint
+merge_request: 26334
+author:
+type: fixed

spec/controllers/projects/git_http_controller_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Projects::GitHttpController do
+  describe 'HEAD #info_refs' do
+    it 'returns 403' do
+      project = create(:project, :public, :repository)
+
+      head :info_refs, params: { namespace_id: project.namespace.to_param, project_id: project.path + '.git' }
+
+      expect(response.status).to eq(403)
+    end
+  end
+end