Fix go-import path resolving for unauthorized projects (!134903) · Merge requests · GitLab.org / GitLab

Vasilii Iakliushin requested to merge 36354_fix_go_import_response into master Oct 23, 2023

What does this MR do and why?

Problem

go get makes a HTTP request to fetch information about the project location. For security reasons, we don't return the project path when the request is not authorized. Instead we return only two first segments of the requested path (namespace/project).

This approach doesn't work for private projects located in the subgroup. For example, a project with a path namespace/subgroup/project.

go get makes a request https://gitlab.com/namespace/subgroup/project?go-get=1. The request is not HTTPS authorized (because the user relies on SSH authentication).
The response contains go-import tag with namespace/subgroup path (only 2 first segments).
go get makes a SSH request to clone namespace/subgroup.
This request fails because the path is incorrect.

Solution

Return the full requested path (not only 2 first segments of it).

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Fix go-import path resolving for unauthorized projects

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports