Comments (9)
It's not a bug, it's looks like a valid security setting
Oh thanks, I was not aware of this. Not really a standard thing, but still somewhat common it seems: https://stackoverflow.com/questions/5942780/why-is-it-a-security-risk-to-allow-encoded-slashes-in-a-uri
Okay, last question: what would be the disadvantage if the plugin sends to the Gitlab's API the CI_PROJECT_ID instead of the CI_PROJECT_PATH?
Good question! There might be edge cases where folks set CI_PROJECT_PATH
explicitly that could then break.
Now it just depends what is more common - folks that have proxies messing with the URL, or folks that set CI_PROJECT_PATH
... 🤔
I'd tend to say we can switch to CI_PROJECT_ID
but I'd like to hear opinions from other maintainers before proceeding, WDYT @travi @gr2m?
from gitlab.
I don't really know gitlab but your based on the discussion the suggestion sounds good to me 👍🏼
Thanks, then let's do it: #576
from gitlab.
Having the same issue, any idea how to fix?
from gitlab.
Hm, this sounds more like a problem on your end.
Accessing the API via project path works if the path is properly URL-encoded. This is the case for semantic-release, but not in your curl invocation.
I guess you're having authentication issues. Did you follow https://semantic-release.gitbook.io/semantic-release/v/beta/usage/ci-configuration#push-access-to-the-remote-repository?
from gitlab.
Hm, this sounds more like a problem on your end. Accessing the API via project path works if the path is properly URL-encoded. This is the case for semantic-release, but not in your curl invocation.
I went around the problem and looks like the encoded slash ('/' to '%2F') in the URL before the first query parameter is replaced to %252F by security reason in the firewall we are using and the Gitlab cannot process it:
"GET /api/v4/projects/others%252Ftoolsforboox%252Ftoolsboox-backend HTTP/1.1"
Otherwise, it would look like this:
"GET /api/v4/projects/others%2Ftoolsforboox%2Ftoolsboox-backend HTTP/1.1"
In case of CI_PROJECT_ID
works without an issue:
"GET /api/v4/projects/12 HTTP/1.1"
I guess you're having authentication issues.
The authentication is fine, the CI_PROJECT_ID based API access is works.
--
Could it be possible to access the Gitlab's API based on the project id instead of the project path? Change the settings of the company's firewall is virtually impossible in my end of the issue... :)
Edit: the other option would be, to have Gitlab process both %2F and %252F encodings. I try to raise a ticket about it.
from gitlab.
I went around the problem and looks like the encoded slash ('/' to '%2F') in the URL before the first query parameter is replaced to %252F by security reason in the firewall we are using and the Gitlab cannot process it:
"GET /api/v4/projects/others%252Ftoolsforboox%252Ftoolsboox-backend HTTP/1.1"
This sounds like a bug in your Firewall, %252F
is the encoded variant of %2F
, which is
incorrect.
You can hack around this by overriding CI_PROJECT_PATH
with $CI_PROJECT_ID
before running semantic-release
. I'd prefer to not introduce new configuration options to keep complexity as low as possible.
from gitlab.
This sounds like a bug in your Firewall,
%252F
is the encoded variant of%2F
, which is incorrect.
It's not a bug, it's looks like a valid security setting, prevents some of double encoding attacks, but it is not my cup of tea, I cannot change this behavior.
You can hack around this by overriding CI_PROJECT_PATH by CI_PROJECT_ID before running semantic-release.
Okay, I try it, but I think it may have side effects...
I'd prefer to not introduce new configuration options to keep complexity as low as possible.
Okay, last question: what would be the disadvantage if the plugin sends to the Gitlab's API the CI_PROJECT_ID instead of the CI_PROJECT_PATH?
from gitlab.
I don't really know gitlab but your based on the discussion the suggestion sounds good to me 👍🏼
from gitlab.
sorry for the delay. returned recently from traveling. i'm also pretty unfamiliar with gitlab, so i support the decision to avoid the problem here.
the one thought that i do want to put out there is that this is a chance to step back to consider if we are doing something wrong at a higher level.
It's not a bug, it's looks like a valid security setting, prevents some of double encoding attacks
i havent given this a ton of thought, but my initial reaction is similar to @fgreinacher's that is a firewall config bug if it is rewriting content in ways that breaks things like this. it would take a bit more evidence to convince me otherwise if we didnt have an alternative like the approach taken to solve this. however, i'm totally open to the evidence supporting that we were doing something wrong with our encoding. it is great that we had an alternative to avoid the issue for this situation, but i'm still concerned about whether that same approach is used elsewhere that will result in other complications. is it worth understanding this a bit deeper to get some insight into whether we have other issues that we should address?
from gitlab.
Related Issues (20)
- GitLab release is not being created HOT 5
- BUG: generic_package upload causes Error 400 on release creation HOT 2
- better use version instead of git tag for publishing generic package? HOT 6
- bug: @semantic-release is using github instaed of gitlab HOT 1
- Documentation clarification and token usage with dry run HOT 1
- Link to external artifacts in release? HOT 1
- An error occurred while running semantic-release: Error: Command failed with exit code 128: HOT 3
- Generated links use legacy routes and stopped working HOT 3
- How to include reference to docker image (or arbitrary markdown) as part of release message HOT 1
- Inspect Submodule changes HOT 2
- feature request: Allow dryrun to execute even in Merge request pipeline (avoid duplicated pipelines) HOT 3
- Error: self-signed certificate in certificate chain HOT 2
- support updating changelog in repo HOT 1
- The gitlab API merge request URL has an additional single quote HOT 8
- Release asset URLs are incorrect HOT 3
- Add the option to specify the target project via project id HOT 6
- Possibility to send succesMessage only for Issue HOT 5
- Feature: Catch error "Project must have a description" when creating a release. HOT 10
- `successComment` config format in json
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gitlab.