feat(proxy): introduce teeAndValidate middleware for pack POSTs

Author: fabiovincenzi

src/proxy/routes/index.ts

@@ -1,5 +1,7 @@
-import { Router } from 'express';
+import { Router, Request, Response, NextFunction } from 'express';
 import proxy from 'express-http-proxy';
+import { PassThrough } from 'stream';
+import getRawBody from 'raw-body';
 import { executeChain } from '../chain';
 import { getProxyUrl } from '../../config';
 
@@ -33,7 +35,7 @@ const stripGitHubFromGitPath = (url: string): string | undefined => {
  * @return {boolean} If true, this is a valid and expected git request. Otherwise, false.
  */
 const validGitRequest = (url: string, headers: any): boolean => {
-  const { 'user-agent': agent, accept } = headers;
+  const { 'user-agent': agent = '', accept = '' } = headers;
   if (['/info/refs?service=git-upload-pack', '/info/refs?service=git-receive-pack'].includes(url)) {
     // https://www.git-scm.com/docs/http-protocol#_discovering_references
     // We can only filter based on User-Agent since the Accept header is not
@@ -47,89 +49,95 @@ const validGitRequest = (url: string, headers: any): boolean => {
   return false;
 };
 
+const isPackPost = (req: Request) =>
+  req.method === 'POST' && /\/.*\.git\/(git-upload-pack|git-receive-pack)$/.test(req.url);
+
+const teeAndValidate = async (req: Request, res: Response, next: NextFunction) => {
+  if (!isPackPost(req)) return next();
+
+  const proxyStream = new PassThrough();
+  const pluginStream = new PassThrough();
+
+  req.pipe(proxyStream);
+  req.pipe(pluginStream);
+
+  try {
+    const buf = await getRawBody(pluginStream, { limit: '1gb' });
+    (req as any).body = buf;
+    const verdict = await executeChain(req, res);
+    console.log('action processed');
+
+    if (verdict.error || verdict.blocked) {
+      const msg = verdict.error ? verdict.errorMessage! : verdict.blockedMessage!;
+      res
+        .set({
+          'content-type': 'application/x-git-receive-pack-result',
+          'transfer-encoding': 'chunked',
+          expires: 'Fri, 01 Jan 1980 00:00:00 GMT',
+          pragma: 'no-cache',
+          'cache-control': 'no-cache, max-age=0, must-revalidate',
+          vary: 'Accept-Encoding',
+          'x-frame-options': 'DENY',
+          connection: 'close',
+        })
+        .status(200)
+        .send(handleMessage(msg));
+      return;
+    }
+
+    (req as any).pipe = (dest: any, opts: any) => proxyStream.pipe(dest, opts);
+    next();
+  } catch (e) {
+    console.error(e);
+    proxyStream.destroy(e as Error);
+    res.status(500).end('Proxy error');
+  }
+};
+
+router.use(teeAndValidate);
+
 router.use(
   '/',
   proxy(getProxyUrl(), {
+    parseReqBody: false,
     preserveHostHdr: false,
-    filter: async function (req, res) {
-      try {
-        console.log('request url: ', req.url);
-        console.log('host: ', req.headers.host);
-        console.log('user-agent: ', req.headers['user-agent']);
-        const gitPath = stripGitHubFromGitPath(req.url);
-        if (gitPath === undefined || !validGitRequest(gitPath, req.headers)) {
-          res.status(400).send('Invalid request received');
-          return false;
-        }
-
-        const action = await executeChain(req, res);
-        console.log('action processed');
-
-        if (action.error || action.blocked) {
-          res.set('content-type', 'application/x-git-receive-pack-result');
-          res.set('transfer-encoding', 'chunked');
-          res.set('expires', 'Fri, 01 Jan 1980 00:00:00 GMT');
-          res.set('pragma', 'no-cache');
-          res.set('cache-control', 'no-cache, max-age=0, must-revalidate');
-          res.set('vary', 'Accept-Encoding');
-          res.set('x-frame-options', 'DENY');
-          res.set('connection', 'close');
-
-          let message = '';
-
-          if (action.error) {
-            message = action.errorMessage!;
-            console.error(message);
-          }
-          if (action.blocked) {
-            message = action.blockedMessage!;
-          }
-
-          const packetMessage = handleMessage(message);
-
-          console.log(req.headers);
-
-          res.status(200).send(packetMessage);
-
-          return false;
-        }
-
-        return true;
-      } catch (e) {
-        console.error(e);
+
+    filter: async (req, res) => {
+      console.log('request url: ', req.url);
+      console.log('host: ', req.headers.host);
+      console.log('user-agent: ', req.headers['user-agent']);
+      const gitPath = stripGitHubFromGitPath(req.url);
+      if (gitPath === undefined || !validGitRequest(gitPath, req.headers)) {
+        res.status(400).send('Invalid request received');
         return false;
       }
+      return true;
     },
+
     proxyReqPathResolver: (req) => {
       const url = getProxyUrl() + req.originalUrl;
       console.log('Sending request to ' + url);
       return url;
     },
-    proxyReqOptDecorator: function (proxyReqOpts) {
-      return proxyReqOpts;
-    },
 
-    proxyReqBodyDecorator: function (bodyContent, srcReq) {
-      if (srcReq.method === 'GET') {
-        return '';
-      }
-      return bodyContent;
-    },
-
-    proxyErrorHandler: function (err, res, next) {
+    proxyErrorHandler: (err, res, next) => {
       console.log(`ERROR=${err}`);
       next(err);
     },
   }),
 );
 
 const handleMessage = (message: string): string => {
-  const errorMessage = `\t${message}`;
-  const len = 6 + new TextEncoder().encode(errorMessage).length;
-
-  const prefix = len.toString(16);
-  const packetMessage = `${prefix.padStart(4, '0')}\x02${errorMessage}\n0000`;
-  return packetMessage;
+  const body = `\t${message}`;
+  const len = (6 + Buffer.byteLength(body)).toString(16).padStart(4, '0');
+  return `${len}\x02${body}\n0000`;
 };
 
-export { router, handleMessage, validGitRequest, stripGitHubFromGitPath };
+export {
+  router,
+  handleMessage,
+  validGitRequest,
+  teeAndValidate,
+  isPackPost,
+  stripGitHubFromGitPath,
+};