Merge branch 'main' into fix-logout-baseurl

Author: kriswest

src/proxy/routes/index.ts

@@ -6,23 +6,31 @@ import { executeChain } from '../chain';
 import { processUrlPath, validGitRequest, getAllProxiedHosts } from './helper';
 import { ProxyOptions } from 'express-http-proxy';
 
+enum ActionType {
+  // eslint-disable-next-line no-unused-vars
+  ALLOWED = 'Allowed',
+  // eslint-disable-next-line no-unused-vars
+  ERROR = 'Error',
+  // eslint-disable-next-line no-unused-vars
+  BLOCKED = 'Blocked',
+}
+
 const logAction = (
   url: string,
   host: string | null | undefined,
   userAgent: string | null | undefined,
-  errMsg: string | null | undefined,
-  blockMsg?: string | null | undefined,
+  type: ActionType,
+  message?: string,
 ) => {
-  let msg = `Action processed: ${!(errMsg || blockMsg) ? 'Allowed' : 'Blocked'}
+  let msg = `Action processed: ${type}
     Request URL: ${url}
     Host:        ${host}
     User-Agent:  ${userAgent}`;
-  if (errMsg) {
-    msg += `\n    Error:       ${errMsg}`;
-  }
-  if (blockMsg) {
-    msg += `\n    Blocked:     ${blockMsg}`;
+
+  if (message && type !== ActionType.ALLOWED) {
+    msg += `\n    ${type}:       ${message}`;
   }
+
   console.log(msg);
 };
 
@@ -34,76 +42,69 @@ const proxyFilter: ProxyOptions['filter'] = async (req, res) => {
       urlComponents.gitPath === undefined ||
       !validGitRequest(urlComponents.gitPath, req.headers)
     ) {
-      logAction(
-        req.url,
-        req.headers.host,
-        req.headers['user-agent'],
-        'Invalid request received',
-        null,
-      );
-      // return status 200 to ensure that the error message is rendered by the git client
-      res.status(200).send(handleMessage('Invalid request received'));
+      const message = 'Invalid request received';
+      logAction(req.url, req.headers.host, req.headers['user-agent'], ActionType.ERROR, message);
+      res.status(200).send(handleMessage(message));
       return false;
     }
 
     const action = await executeChain(req, res);
 
     if (action.error || action.blocked) {
-      res.set('content-type', 'application/x-git-receive-pack-result');
-      res.set('expires', 'Fri, 01 Jan 1980 00:00:00 GMT');
-      res.set('pragma', 'no-cache');
-      res.set('cache-control', 'no-cache, max-age=0, must-revalidate');
-      res.set('vary', 'Accept-Encoding');
-      res.set('x-frame-options', 'DENY');
-      res.set('connection', 'close');
-
-      const packetMessage = handleMessage(action.errorMessage ?? action.blockedMessage ?? '');
-
-      logAction(
-        req.url,
-        req.headers.host,
-        req.headers['user-agent'],
-        action.errorMessage,
-        action.blockedMessage,
-      );
-      // return status 200 to ensure that the error message is rendered by the git client
-      res.status(200).send(packetMessage);
+      const message = action.errorMessage ?? action.blockedMessage ?? 'Unknown error';
+      const type = action.error ? ActionType.ERROR : ActionType.BLOCKED;
+
+      logAction(req.url, req.headers.host, req.headers['user-agent'], type, message);
+      sendErrorResponse(req, res, message);
       return false;
     }
 
-    logAction(
-      req.url,
-      req.headers.host,
-      req.headers['user-agent'],
-      action.errorMessage,
-      action.blockedMessage,
-    );
+    logAction(req.url, req.headers.host, req.headers['user-agent'], ActionType.ALLOWED);
 
     // this is the only case where we do not respond directly, instead we return true to proxy the request
     return true;
   } catch (e) {
-    const packetMessage = handleMessage(`Error occurred in proxy filter function ${e}`);
-
-    logAction(
-      req.url,
-      req.headers.host,
-      req.headers['user-agent'],
-      'Error occurred in proxy filter function: ' + ((e as Error).message ?? e),
-      null,
-    );
+    const message = `Error occurred in proxy filter function ${(e as Error).message ?? e}`;
 
-    // return status 200 to ensure that the error message is rendered by the git client
-    res.status(200).send(packetMessage);
+    logAction(req.url, req.headers.host, req.headers['user-agent'], ActionType.ERROR, message);
+    sendErrorResponse(req, res, message);
     return false;
   }
 };
 
+const sendErrorResponse = (req: Request, res: Response, message: string): void => {
+  // GET requests to /info/refs (used to check refs for many git operations) must use Git protocol error packet format
+  if (req.method === 'GET' && req.url.includes('/info/refs')) {
+    res.set('content-type', 'application/x-git-upload-pack-advertisement');
+    res.status(200).send(handleRefsErrorMessage(message));
+    return;
+  }
+
+  // Standard git receive-pack response
+  res.set('content-type', 'application/x-git-receive-pack-result');
+  res.set('expires', 'Fri, 01 Jan 1980 00:00:00 GMT');
+  res.set('pragma', 'no-cache');
+  res.set('cache-control', 'no-cache, max-age=0, must-revalidate');
+  res.set('vary', 'Accept-Encoding');
+  res.set('x-frame-options', 'DENY');
+  res.set('connection', 'close');
+
+  res.status(200).send(handleMessage(message));
+};
+
 const handleMessage = (message: string): string => {
   const body = `\t${message}`;
   const len = (6 + Buffer.byteLength(body)).toString(16).padStart(4, '0');
   return `${len}\x02${body}\n0000`;
 };
 
+const handleRefsErrorMessage = (message: string): string => {
+  // Git protocol for GET /info/refs error packets: PKT-LINE("ERR" SP explanation-text)
+  const errorBody = `ERR ${message}`;
+  const len = (4 + Buffer.byteLength(errorBody)).toString(16).padStart(4, '0');
+  return `${len}${errorBody}\n0000`;
+};
+
 const getRequestPathResolver: (prefix: string) => ProxyOptions['proxyReqPathResolver'] = (
   prefix,
 ) => {
@@ -155,15 +156,10 @@ const teeAndValidate = async (req: Request, res: Response, next: NextFunction) =
     (req as any).body = buf;
     const verdict = await executeChain(req, res);
     if (verdict.error || verdict.blocked) {
-      const msg = verdict.errorMessage ?? verdict.blockedMessage ?? '';
+      const message = verdict.errorMessage ?? verdict.blockedMessage ?? 'Unknown error';
+      const type = verdict.error ? ActionType.ERROR : ActionType.BLOCKED;
 
-      logAction(
-        req.url,
-        req.headers?.host,
-        req.headers?.['user-agent'],
-        verdict.errorMessage,
-        verdict.blockedMessage,
-      );
+      logAction(req.url, req.headers?.host, req.headers?.['user-agent'], type, message);
 
       res
         .set({
@@ -176,7 +172,7 @@ const teeAndValidate = async (req: Request, res: Response, next: NextFunction) =
           connection: 'close',
         })
         .status(200) // return status 200 to ensure that the error message is rendered by the git client
-        .send(handleMessage(msg));
+        .send(handleMessage(message));
       return;
     }
 
@@ -261,4 +257,12 @@ const getRouter = async () => {
   return router;
 };
 
-export { proxyFilter, getRouter, handleMessage, isPackPost, teeAndValidate, validGitRequest };
+export {
+  proxyFilter,
+  getRouter,
+  handleMessage,
+  handleRefsErrorMessage,
+  isPackPost,
+  teeAndValidate,
+  validGitRequest,
+};

test/testProxyRoute.test.js

@@ -1,4 +1,4 @@
-const { handleMessage, validGitRequest } = require('../src/proxy/routes');
+const { handleMessage, handleRefsErrorMessage, validGitRequest } = require('../src/proxy/routes');
 const chai = require('chai');
 const chaiHttp = require('chai-http');
 chai.use(chaiHttp);
@@ -336,6 +336,39 @@ describe('proxyFilter function', async () => {
     const result = await proxyRoutes.proxyFilter(req, res);
     expect(result).to.be.true;
   });
+
+  it('should handle GET /info/refs with blocked action using Git protocol error format', async () => {
+    const req = {
+      url: '/proj/repo.git/info/refs?service=git-upload-pack',
+      method: 'GET',
+      headers: {
+        host: 'localhost',
+        'user-agent': 'git/2.34.1',
+      },
+    };
+    const res = {
+      set: sinon.spy(),
+      status: sinon.stub().returnsThis(),
+      send: sinon.spy(),
+    };
+
+    const actionToReturn = {
+      blocked: true,
+      blockedMessage: 'Repository not in authorised list',
+    };
+
+    executeChainStub.returns(actionToReturn);
+    const result = await proxyRoutes.proxyFilter(req, res);
+
+    expect(result).to.be.false;
+
+    const expectedPacket = handleRefsErrorMessage('Repository not in authorised list');
+
+    expect(res.set.calledWith('content-type', 'application/x-git-upload-pack-advertisement')).to.be
+      .true;
+    expect(res.status.calledWith(200)).to.be.true;
+    expect(res.send.calledWith(expectedPacket)).to.be.true;
+  });
 });
 
 describe('proxy express application', async () => {