[go: up one dir, main page]
Skip to content

Access-Control-Expose-Headers incorrect value when getting file metadata using a HEAD API request

Summary

When using the files API to get a file's metadata using a HEAD request, the Access-Control-Expose-Headers response header is missing the following header names (taken from the API Docs here): X-Gitlab-Blob-Id, X-Gitlab-Commit-Id, X-Gitlab-Content-Sha256, X-Gitlab-Encoding, X-Gitlab-File-Name, X-Gitlab-File-Path, X-Gitlab-Last-Commit-Id, X-Gitlab-Ref, X-Gitlab-Size

Steps to reproduce

  1. Run the following command:
curl --head --header 'Origin: http://localhost:8080' 'https://gitlab.com/api/v4/projects/13083/repository/files/app%2Fmodels%2Fkey%2Erb?ref=master'
  1. The following response is received:
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 05 Jan 2020 12:16:27 GMT
Content-Type: application/json
Content-Length: 353
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Link, X-Total, X-Total-Pages, X-Per-Page, X-Page, X-Next-Page, X-Prev-Page
Access-Control-Max-Age: 1728000
Cache-Control: no-cache
Vary: Origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Gitlab-Blob-Id: e549c59b58fc7a91d2917fdd0f9d2ae4134b0f1b
X-Gitlab-Commit-Id: 190ca0529dd0edef1d881e09d5352f83426b01d3
X-Gitlab-Content-Sha256: 67741bdf974c3d84c4dc3516ffe9a7a40f231e1a369158ed106defcb90a8db4d
X-Gitlab-Encoding: base64
X-Gitlab-File-Name: key.rb
X-Gitlab-File-Path: app/models/key.rb
X-Gitlab-Last-Commit-Id: 5bd24a54ef4ce3a38a860eb53b66d062c2382971
X-Gitlab-Ref: master
X-Gitlab-Size: 3670
X-Request-Id: 6VGqGFZleM1
X-Runtime: 0.067738
Strict-Transport-Security: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin
RateLimit-Limit: 600
RateLimit-Observed: 1
RateLimit-Remaining: 599
RateLimit-Reset: 1578226647
RateLimit-ResetTime: Sun, 05 Jan 2020 12:17:27 GMT
GitLab-LB: fe-21-lb-gprd
GitLab-SV: localhost

What is the current bug behavior?

The response header Access-Control-Expose-Headers value is Link, X-Total, X-Total-Pages, X-Per-Page, X-Page, X-Next-Page, X-Prev-Page

What is the expected correct behavior?

The response header Access-Control-Expose-Headers value is Link, X-Total, X-Total-Pages, X-Per-Page, X-Page, X-Next-Page, X-Prev-Page, X-Gitlab-Blob-Id, X-Gitlab-Commit-Id, X-Gitlab-Content-Sha256, X-Gitlab-Encoding, X-Gitlab-File-Name, X-Gitlab-File-Path, X-Gitlab-Last-Commit-Id, X-Gitlab-Ref, X-Gitlab-Size

Output of checks

This bug happens on GitLab.com

Possible fixes

https://gitlab.com/gitlab-org/gitlab-foss/blob/190ca0529dd0edef1d881e09d5352f83426b01d3/config/application.rb#L238

Edited by Erez Rokah