Themes/components from GitLab gives error 500 when installing/updating

Continuing the discussion from Masonry Image Gallery:

The tittle tells everything, I guess.

After I rebuilded from 2.9.0.beta11 (208d22cfc2) every theme or component from GitLab gives error 500 when trying install or update.

Is this a bug or somekind security issue? My setup has nothing strange and is quite basic one.

This can be related. It came when I tested trying to install one theme:

Message (2 copies reported)

Failed to process hijacked response correctly : RemoteTheme::ImportError : Error cloning git repository, access is denied or repository is not found

Backtrace

/var/www/discourse/lib/theme_store/git_importer.rb:81:in `raise_import_error!'
/var/www/discourse/lib/theme_store/git_importer.rb:148:in `rescue in clone_http!'
/var/www/discourse/lib/theme_store/git_importer.rb:145:in `clone_http!'
/var/www/discourse/lib/theme_store/git_importer.rb:93:in `clone!'
/var/www/discourse/lib/theme_store/git_importer.rb:18:in `import!'
/var/www/discourse/app/models/remote_theme.rb:82:in `import_theme'
/var/www/discourse/app/controllers/admin/themes_controller.rb:106:in `block in import'
/var/www/discourse/lib/hijack.rb:56:in `instance_eval'
/var/www/discourse/lib/hijack.rb:56:in `block in hijack'
/var/www/discourse/lib/scheduler/defer.rb:94:in `block in do_work'

Env

HTTP HOSTS: foorumi.katiska.eu
4 Likes

Do you mean gitlab or github? Are these theme components that worked before? It could be a spurious networking issue. Could the themes you’re accessing have been deleted or protected?

If they are public, you can share their URLs so other can try to access them.

GitLab. GitHub based ones are just fine.

Yes. And still working if installed from zip. Connecting to Gitlab from Discourse is the issue now.

No and no.

Sure. You can try Masonry Image Gallery — the link is in the first post.

I don’t know anything but I have a gut feeling that normalizing of url (or something similar) will change gitlab to github and that’s why repository is missing.

2 Likes

Almost certainly because of the SSRF protections fixes.

Gitlab is 301 redirecting a git clone for https://gitlab.com/silentboatman/discourse-masonry-image-gallery to https://gitlab.com/silentboatman/discourse-masonry-image-gallery.git/ (sic, ends with .git/) but git is called with -c http.followRedirects=false so it fails.

Entering https://gitlab.com/silentboatman/discourse-masonry-image-gallery.git/ as the repository URL directly does not work because that is reverted back to https://gitlab.com/silentboatman/discourse-masonry-image-gallery by FinalDestination.resolve(@uri.to_s) because, you won’t believe it, when requested outside of git, the redirection goes the other way around! Gitlab 302 redirects https://gitlab.com/silentboatman/discourse-masonry-image-gallery.git/ to https://gitlab.com/silentboatman/discourse-masonry-image-gallery

EDIT using GIT_CURL_VERBOSE=1 I was able to see that Git appends info/refs?service=git-upload-pack when cloning, so

GET /silentboatman/discourse-masonry-image-gallery/info/refs?service=git-upload-pack HTTP/2

goes to

location: https://gitlab.com/silentboatman/discourse-masonry-image-gallery.git/info/refs?service=git-upload-pack
5 Likes

So - the Big Question™ is: what has changed recently? And how we (and with we I mean everybody else than I) can fix that?

1 Like

Someone is having a look. :slight_smile: :+1:

5 Likes

(Additionally, it seems like most actions that cause an error now when adding a repository give a popup with only the text “500 Server Error” instead of an actual error message)

1 Like

I thought this fix (below) would solve this issue, but I still get the same error.

I’m currently on 2.9.0.beta11 +143 (795687160d).

@daniel Is this fix related to the issue in this topic?

1 Like

Yes, that commit was meant to fix fetching from gitlab. I just tried it and I’m able to clone from gitlab repos now, both via SSH and via HTTP. Could you give more details on what exactly you’re doing that isn’t working?

@Jagster, is this still an issue for you?

4 Likes

I have seen this failing after updating to beta12 as well.

It seems like the URL format matters.

https://gitlab.com/silentboatman/discourse-masonry-image-gallery/ → error
https://gitlab.com/silentboatman/discourse-masonry-image-gallery → error
https://gitlab.com/silentboatman/discourse-masonry-image-gallery.git → works

That means that you will need to remove and re-add theme components that have one of the first two formats, and copy the configuration. But it would be pretty cool if those two formats would be supported out of the box as well.

6 Likes

Yes, adding .git at the end of the URL seems to work. Great spotted!

Here’s some more detail. I got discourse-masonry-image-gallery installed and after updating Discourse I got the following error message.

I remember installing it from the URL without .git at the end since the example URL doesn’t end with .git.

I also tried to install another theme from gitlab (without .git) and got the following message.

In the test above I tried to install discourse-agora-theme, also a public gitlab repo.

3 Likes

After beta12 and using .git it works just fine. I did not try without .git, though.

2 Likes

This commit should fix that:

7 Likes

Yes, that solves this issue. Thanks!

2 Likes