fix: reject requests with very long URIs (!612) · Merge requests · GitLab.org / gitlab-pages · GitLab

Vladimir Shushlin requested to merge uri-len-limit into master Nov 10, 2021

What does this MR do?

Fixes https://gitlab.com/gitlab-org/gitlab-pages/-/issues/659

Alternative solution is https://gitlab.com/gitlab-org/security/gitlab-pages/-/merge_requests/17.

But:

I think it's useful to have a configurable switch. If self-managed clients see any errors, they can just change the flag.
We found an issue specific to auth workflow, but I think other parts of the application may be vulnerable as well. If we limit the size of the URI globally, we prevent other issues.

TODO

I added the Changelog trailer (e.g. Changelog: feature) to the commits that need to be included in the changelog
I added unit tests or they are not required
I added acceptance tests or they are not required
I added documentation (or it's not required) Will add later in main gitlab repo
I followed code review guidelines
I followed Go Style guidelines

Edited Nov 10, 2021 by Vladimir Shushlin