Jagster
(Jakke Lehtonen)
November 2, 2022, 11:44am
1
Continuing the discussion from Masonry Image Gallery :
The tittle tells everything, I guess.
After I rebuilded from 2.9.0.beta11 (208d22cfc2 ) every theme or component from GitLab gives error 500 when trying install or update.
Is this a bug or somekind security issue? My setup has nothing strange and is quite basic one.
This can be related. It came when I tested trying to install one theme:
Message (2 copies reported)
Failed to process hijacked response correctly : RemoteTheme::ImportError : Error cloning git repository, access is denied or repository is not found
Backtrace
/var/www/discourse/lib/theme_store/git_importer.rb:81:in `raise_import_error!'
/var/www/discourse/lib/theme_store/git_importer.rb:148:in `rescue in clone_http!'
/var/www/discourse/lib/theme_store/git_importer.rb:145:in `clone_http!'
/var/www/discourse/lib/theme_store/git_importer.rb:93:in `clone!'
/var/www/discourse/lib/theme_store/git_importer.rb:18:in `import!'
/var/www/discourse/app/models/remote_theme.rb:82:in `import_theme'
/var/www/discourse/app/controllers/admin/themes_controller.rb:106:in `block in import'
/var/www/discourse/lib/hijack.rb:56:in `instance_eval'
/var/www/discourse/lib/hijack.rb:56:in `block in hijack'
/var/www/discourse/lib/scheduler/defer.rb:94:in `block in do_work'
Env
HTTP HOSTS: foorumi.katiska.eu
4 Likes
pfaffman
(Jay Pfaffman)
November 2, 2022, 9:08pm
2
Do you mean gitlab or github? Are these theme components that worked before? It could be a spurious networking issue. Could the themes youâre accessing have been deleted or protected?
If they are public, you can share their URLs so other can try to access them.
Jagster
(Jakke Lehtonen)
November 2, 2022, 9:13pm
3
GitLab. GitHub based ones are just fine.
Yes. And still working if installed from zip. Connecting to Gitlab from Discourse is the issue now.
No and no.
Sure. You can try Masonry Image Gallery â the link is in the first post.
I donât know anything but I have a gut feeling that normalizing of url (or something similar) will change gitlab to github and thatâs why repository is missing.
2 Likes
RGJ
(Richard - Communiteq)
November 2, 2022, 11:00pm
5
Almost certainly because of the SSRF protections fixes.
Gitlab is 301 redirecting a git clone
for https://gitlab.com/silentboatman/discourse-masonry-image-gallery to https://gitlab.com/silentboatman/discourse-masonry-image-gallery.git/ (sic, ends with .git/
) but git is called with -c http.followRedirects=false
so it fails.
Entering https://gitlab.com/silentboatman/discourse-masonry-image-gallery.git/ as the repository URL directly does not work because that is reverted back to https://gitlab.com/silentboatman/discourse-masonry-image-gallery by FinalDestination.resolve(@uri.to_s)
because, you wonât believe it, when requested outside of git, the redirection goes the other way around! Gitlab 302 redirects https://gitlab.com/silentboatman/discourse-masonry-image-gallery.git/ to https://gitlab.com/silentboatman/discourse-masonry-image-gallery
EDIT using GIT_CURL_VERBOSE=1
I was able to see that Git appends info/refs?service=git-upload-pack
when cloning, so
GET /silentboatman/discourse-masonry-image-gallery/info/refs?service=git-upload-pack HTTP/2
goes to
location: https://gitlab.com/silentboatman/discourse-masonry-image-gallery.git/info/refs?service=git-upload-pack
5 Likes
Jagster
(Jakke Lehtonen)
November 2, 2022, 11:11pm
6
So - the Big Question⢠is: what has changed recently? And how we (and with we I mean everybody else than I) can fix that?
1 Like
Someone is having a look.
5 Likes
RGJ
(Richard - Communiteq)
November 3, 2022, 7:31am
8
(Additionally, it seems like most actions that cause an error now when adding a repository give a popup with only the text â500 Server Errorâ instead of an actual error message)
1 Like
Heddson
November 11, 2022, 1:01pm
10
I thought this fix (below) would solve this issue, but I still get the same error.
Iâm currently on 2.9.0.beta11 +143 (795687160d ).
discourse:main
â discourse:gitlab-fetch-fix
opened 07:45PM - 03 Nov 22 UTC
This should fix fetching from gitlab.
@daniel Is this fix related to the issue in this topic?
1 Like
daniel
(Daniel Waterworth)
November 14, 2022, 10:10pm
11
Yes, that commit was meant to fix fetching from gitlab. I just tried it and Iâm able to clone from gitlab repos now, both via SSH and via HTTP. Could you give more details on what exactly youâre doing that isnât working?
@Jagster , is this still an issue for you?
4 Likes
RGJ
(Richard - Communiteq)
November 14, 2022, 10:35pm
12
I have seen this failing after updating to beta12 as well.
It seems like the URL format matters.
https://gitlab.com/silentboatman/discourse-masonry-image-gallery/
â error
https://gitlab.com/silentboatman/discourse-masonry-image-gallery
â error
https://gitlab.com/silentboatman/discourse-masonry-image-gallery.git
â works
That means that you will need to remove and re-add theme components that have one of the first two formats, and copy the configuration. But it would be pretty cool if those two formats would be supported out of the box as well.
6 Likes
Heddson
November 14, 2022, 11:02pm
13
Yes, adding .git at the end of the URL seems to work. Great spotted!
Hereâs some more detail. I got discourse-masonry-image-gallery installed and after updating Discourse I got the following error message.
I remember installing it from the URL without .git at the end since the example URL doesnât end with .git .
I also tried to install another theme from gitlab (without .git ) and got the following message.
In the test above I tried to install discourse-agora-theme , also a public gitlab repo.
3 Likes
Jagster
(Jakke Lehtonen)
November 15, 2022, 9:14am
14
After beta12 and using .git it works just fine. I did not try without .git, though.
2 Likes
daniel
(Daniel Waterworth)
December 5, 2022, 5:53pm
18
Richard - Communiteq:
It seems like the URL format matters.
https://gitlab.com/silentboatman/discourse-masonry-image-gallery/
â error
https://gitlab.com/silentboatman/discourse-masonry-image-gallery
â error
https://gitlab.com/silentboatman/discourse-masonry-image-gallery.git
â works
This commit should fix that:
committed 08:21PM - 30 Nov 22 UTC
This is closer to git's redirect following behaviour. We prevented git
followin⌠g redirects when we clone in order to prevent SSRF attacks.
Follow-up-to: 291bbc4fb966165c9f7bbc7af6bea705b8c09a7d
7 Likes
Heddson
December 5, 2022, 8:01pm
19
Yes, that solves this issue. Thanks!
2 Likes