Skip to content

Fix go-import path resolving for unauthorized projects

Vasilii Iakliushin requested to merge 36354_fix_go_import_response into master

What does this MR do and why?

Contributes to #36354 (closed)

Problem

go get makes a HTTP request to fetch information about the project location. For security reasons, we don't return the project path when the request is not authorized. Instead we return only two first segments of the requested path (namespace/project).

This approach doesn't work for private projects located in the subgroup. For example, a project with a path namespace/subgroup/project.

  1. go get makes a request https://gitlab.com/namespace/subgroup/project?go-get=1. The request is not HTTPS authorized (because the user relies on SSH authentication).
  2. The response contains go-import tag with namespace/subgroup path (only 2 first segments).
  3. go get makes a SSH request to clone namespace/subgroup.
  4. This request fails because the path is incorrect.

Solution

Return the full requested path (not only 2 first segments of it).

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports

Loading