API v4 allows setting a branch that doesn't exist as the default one
Summary
GitLab API allows the user to set a non-existing branch as the default one. A customer is experiencing this in https://gitlab.zendesk.com/agent/tickets/80856
Steps to reproduce
-
Create a project in GitLab
-
The only branch it should have is
master
. Confirm this in<domain>/<group>/<project>/branches
-
Using the API, redefine the default branch using this command:
curl --request PUT --header "PRIVATE-TOKEN: <token>" https://gitlab.com/api/v4/projects/3854924?default_branch=develop
Note that the command succeeds, even though the
develop
branch didn't exist in GitLab. -
Refresh the page at https://gitlab.com/harish_test_group/testing_api_default_branch/branches.
master
is still the default branch here. -
Attempt to clone the repo and the below error is returned:
$ git clone git@gitlab.com:harish_test_group/testing_api_default_branch.git Cloning into 'testing_api_default_branch'... remote: Counting objects: 3, done. remote: Total 3 (delta 0), reused 0 (delta 0) Receiving objects: 100% (3/3), done. warning: remote HEAD refers to nonexistent ref, unable to checkout.
Example Project
https://gitlab.com/harish_test_group/testing_api_default_branch/branches
What is the current bug behavior?
The branch change works via the API.
What is the expected correct behavior?
It should throw an error.