Merge pull request #1060 from fabiovincenzi/clone-fix

fix(proxy): preserve original Git pack POST streams before validation

Author: JamieSlome

cypress/e2e/repo.cy.js

@@ -10,7 +10,7 @@ describe('Repo', () => {
 
   describe('Code button for repo row', () => {
     it('Opens tooltip with correct content and can copy', () => {
-      const cloneURL = 'http://localhost:8000/finos/test-repo.git';
+      const cloneURL = 'http://localhost:8000/finos/git-proxy.git';
       const tooltipQuery = 'div[role="tooltip"]';
 
       cy
@@ -19,8 +19,8 @@ describe('Repo', () => {
         .should('not.exist');
 
       cy
-        // find the entry for finos/test-repo
-        .get('a[href="/dashboard/repo/test-repo"]')
+        // find the entry for finos/git-proxy
+        .get('a[href="/dashboard/repo/git-proxy"]')
         // take it's parent row
         .closest('tr')
         // find the nearby span containing Code we can click to open the tooltip

package-lock.json

@@ -46,7 +46,6 @@
     "axios": "^1.6.0",
     "bcryptjs": "^3.0.2",
     "bit-mask": "^1.0.2",
-    "body-parser": "^2.2.0",
     "classnames": "2.5.1",
     "concurrently": "^9.0.0",
     "connect-mongo": "^5.1.0",

package.json

@@ -1,5 +1,4 @@
 import express, { Application } from 'express';
-import bodyParser from 'body-parser';
 import http from 'http';
 import https from 'https';
 import fs from 'fs';
@@ -57,8 +56,6 @@ export const proxyPreparations = async () => {
 // just keep this async incase it needs async stuff in the future
 const createApp = async (): Promise<Application> => {
   const app = express();
-  // Setup the proxy middleware
-  app.use(bodyParser.raw(options));
   app.use('/', router);
   return app;
 };

src/proxy/index.ts

@@ -1,5 +1,7 @@
-import { Router } from 'express';
+import { Router, Request, Response, NextFunction } from 'express';
 import proxy from 'express-http-proxy';
+import { PassThrough } from 'stream';
+import getRawBody from 'raw-body';
 import { executeChain } from '../chain';
 import { getProxyUrl } from '../../config';
 
@@ -48,93 +50,109 @@ const validGitRequest = (url: string, headers: any): boolean => {
       return false;
     }
     // https://www.git-scm.com/docs/http-protocol#_uploading_data
-    return agent.startsWith('git/') && accept.startsWith('application/x-git-') ;
+    return agent.startsWith('git/') && accept.startsWith('application/x-git-');
   }
   return false;
 };
 
+const isPackPost = (req: Request) =>
+  req.method === 'POST' &&
+  // eslint-disable-next-line no-useless-escape
+  /^\/[^\/]+\/[^\/]+\.git\/(?:git-upload-pack|git-receive-pack)$/.test(req.url);
+
+const teeAndValidate = async (req: Request, res: Response, next: NextFunction) => {
+  if (!isPackPost(req)) return next();
+
+  const proxyStream = new PassThrough();
+  const pluginStream = new PassThrough();
+
+  req.pipe(proxyStream);
+  req.pipe(pluginStream);
+
+  try {
+    const buf = await getRawBody(pluginStream, { limit: '1gb' });
+    (req as any).body = buf;
+    const verdict = await executeChain(req, res);
+    console.log('action processed');
+    if (verdict.error || verdict.blocked) {
+      let msg = '';
+
+      if (verdict.error) {
+        msg = verdict.errorMessage!;
+        console.error(msg);
+      }
+      if (verdict.blocked) {
+        msg = verdict.blockedMessage!;
+      }
+
+      res
+        .set({
+          'content-type': 'application/x-git-receive-pack-result',
+          expires: 'Fri, 01 Jan 1980 00:00:00 GMT',
+          pragma: 'no-cache',
+          'cache-control': 'no-cache, max-age=0, must-revalidate',
+          vary: 'Accept-Encoding',
+          'x-frame-options': 'DENY',
+          connection: 'close',
+        })
+        .status(200)
+        .send(handleMessage(msg));
+      return;
+    }
+
+    (req as any).pipe = (dest: any, opts: any) => proxyStream.pipe(dest, opts);
+    next();
+  } catch (e) {
+    console.error(e);
+    proxyStream.destroy(e as Error);
+    res.status(500).end('Proxy error');
+  }
+};
+
+router.use(teeAndValidate);
+
 router.use(
   '/',
   proxy(getProxyUrl(), {
+    parseReqBody: false,
     preserveHostHdr: false,
-    filter: async function (req, res) {
-      try {
-        console.log('request url: ', req.url);
-        console.log('host: ', req.headers.host);
-        console.log('user-agent: ', req.headers['user-agent']);
-        const gitPath = stripGitHubFromGitPath(req.url);
-        if (gitPath === undefined || !validGitRequest(gitPath, req.headers)) {
-          res.status(400).send('Invalid request received');
-          return false;
-        }
-
-        const action = await executeChain(req, res);
-        console.log('action processed');
-
-        if (action.error || action.blocked) {
-          res.set('content-type', 'application/x-git-receive-pack-result');
-          res.set('expires', 'Fri, 01 Jan 1980 00:00:00 GMT');
-          res.set('pragma', 'no-cache');
-          res.set('cache-control', 'no-cache, max-age=0, must-revalidate');
-          res.set('vary', 'Accept-Encoding');
-          res.set('x-frame-options', 'DENY');
-          res.set('connection', 'close');
-
-          let message = '';
-
-          if (action.error) {
-            message = action.errorMessage!;
-            console.error(message);
-          }
-          if (action.blocked) {
-            message = action.blockedMessage!;
-          }
-
-          const packetMessage = handleMessage(message);
-
-          console.log(req.headers);
-
-          res.status(200).send(packetMessage);
-
-          return false;
-        }
-
-        return true;
-      } catch (e) {
-        console.error(e);
+
+    filter: async (req, res) => {
+      console.log('request url: ', req.url);
+      console.log('host: ', req.headers.host);
+      console.log('user-agent: ', req.headers['user-agent']);
+      const gitPath = stripGitHubFromGitPath(req.url);
+      if (gitPath === undefined || !validGitRequest(gitPath, req.headers)) {
+        res.status(400).send('Invalid request received');
         return false;
       }
+      return true;
     },
+
     proxyReqPathResolver: (req) => {
       const url = getProxyUrl() + req.originalUrl;
       console.log('Sending request to ' + url);
       return url;
     },
-    proxyReqOptDecorator: function (proxyReqOpts) {
-      return proxyReqOpts;
-    },
 
-    proxyReqBodyDecorator: function (bodyContent, srcReq) {
-      if (srcReq.method === 'GET') {
-        return '';
-      }
-      return bodyContent;
-    },
-
-    proxyErrorHandler: function (err, res, next) {
+    proxyErrorHandler: (err, res, next) => {
       console.log(`ERROR=${err}`);
       next(err);
     },
   }),
 );
 
 const handleMessage = (message: string): string => {
-  const errorMessage = `\t${message}`;
-  const len = 6 + new TextEncoder().encode(errorMessage).length;
-
-  const prefix = len.toString(16);
-  const packetMessage = `${prefix.padStart(4, '0')}\x02${errorMessage}\n0000`;
-  return packetMessage;
+  const body = `\t${message}`;
+  const len = (6 + Buffer.byteLength(body)).toString(16).padStart(4, '0');
+  return `${len}\x02${body}\n0000`;
 };
 
-export { router, handleMessage, validGitRequest, stripGitHubFromGitPath };
+export {
+  router,
+  handleMessage,
+  validGitRequest,
+  teeAndValidate,
+  isPackPost,
+  stripGitHubFromGitPath,
+};