NoMethodError on import from GitHub Enterprise on RFC1918 IP
Summary
When attempting to import a project from GitHub Enterprise using the Import API, GitLab returns an HTTP 500 and logs a NoMethodError if the github_hostname is a blocked_url?. This error should be handled appropriately with an HTTP 400.
Steps to reproduce
- Ensure "Allow requests to the local network from web hooks and services" is not checked in Settings > Network.
- Obtain a personal access token on GitLab with the
apiscope for a user which has permissions to create a project in a test group. - Configure a test hostname in DNS and point to an RFC1918 IP address.
- Run
http https://gitlab.example.com/api/v4/import/github PRIVATE-TOKEN:personal-access-token personal_access_token=foo repo_id=1 target_namespace=test-group new_name=test-project github_hostname=https://github.example.com(or similar) to trigger the import process. - The import API will return an HTTP 500, and a
NoMethodErrorwill be written to logs.
Example Project
Not applicable.
What is the current bug behavior?
When attempting to import a GitHub Enterprise project on private/RFC1918 IP space on a GitLab instance with "Allow requests to the local network from web hooks and services" disabled, the request fails due to a NoMethodError and returns an HTTP 500.
What is the expected correct behavior?
When attempting to import a GitHub Enterprise project on private/RFC1918 IP space on a GitLab instance with "Allow requests to the local network from web hooks and services" disabled, the request should fail with an HTTP 400 and log the error with an Invalid URL: <url> message.
Relevant logs and/or screenshots
{
"severity": "ERROR",
"time": "2021-07-29T16:18:41.991Z",
"correlation_id": "00000000000000000000000000",
"exception.class": "NoMethodError",
"exception.message": "undefined method `log_and_return_error' for #<Import::GithubService:0x00007fc6f8433840>",
"exception.backtrace":
[
"app/services/import/github_service.rb:13:in `execute'",
"lib/gitlab/metrics/instrumentation.rb:160:in `block in execute'",
"lib/gitlab/metrics/method_call.rb:27:in `measure'",
"lib/gitlab/metrics/instrumentation.rb:160:in `execute'",
"lib/api/import_github.rb:51:in `block in <class:ImportGithub>'",
"lib/api/api_guard.rb:213:in `call'",
"lib/gitlab/metrics/elasticsearch_rack_middleware.rb:16:in `call'",
"lib/gitlab/middleware/rails_queue_duration.rb:33:in `call'",
"lib/gitlab/metrics/rack_middleware.rb:16:in `block in call'",
"lib/gitlab/metrics/web_transaction.rb:21:in `run'",
"lib/gitlab/metrics/rack_middleware.rb:16:in `call'",
"lib/gitlab/middleware/speedscope.rb:13:in `call'",
"lib/gitlab/request_profiler/middleware.rb:17:in `call'",
"lib/gitlab/jira/middleware.rb:19:in `call'",
"lib/gitlab/middleware/go.rb:20:in `call'",
"lib/gitlab/etag_caching/middleware.rb:21:in `call'",
"lib/gitlab/middleware/multipart.rb:172:in `call'",
"lib/gitlab/middleware/read_only/controller.rb:50:in `call'",
"lib/gitlab/middleware/read_only.rb:18:in `call'",
"lib/gitlab/middleware/same_site_cookies.rb:27:in `call'",
"lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call'",
"lib/gitlab/middleware/basic_health_check.rb:25:in `call'",
"lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'",
"lib/gitlab/middleware/request_context.rb:21:in `call'",
"config/initializers/fix_local_cache_middleware.rb:11:in `call'",
"lib/gitlab/middleware/rack_multipart_tempfile_factory.rb:19:in `call'",
"lib/gitlab/metrics/requests_rack_middleware.rb:74:in `call'",
"lib/gitlab/middleware/release_env.rb:12:in `call'"
],
"user.username": "username",
"tags.program": "web",
"tags.locale": "en",
"tags.feature_category": "importers",
"tags.correlation_id": "00000000000000000000000000"
}Output of checks
Not applicable.
Possible fixes
In github_service.rb, the log_and_return_error method is called if blocked_url?. However, log_and_return_error does not exist and causes a NoMethodError as a result.
This method does exist in bitbucket_server_service.rb, but that is not in scope for the GithubService class.