[go: up one dir, main page]
Skip to content

"Repository by URL" project import page sends incomplete credentials while typing

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

I'm working with a customer on a ticket (internal link), and we have noticed some reasonably undesirable behavior when importing a repository from a Git URL. When filling in the "Git repository URL", "Username (optional)" or "Password (optional)" fields, every key press inside the field causes a validation event (POST /import/url/validate) to be sent. This provides instant feedback on whether the connection is successful and credentials are correct, but this means that for a n-letter password, there are n-1 access attempts that are guaranteed to fail before the full password is tested. Sending partial credentials to a remote server as you type is unexpected, and might trip some security mechanisms such as rate limiting or wrong-password account lockouts. These lockouts are precisely what the customer has experienced in this case.

A workaround is to fill in the fields in the order: password, then user, then URL last. Because the actual unexpected behavior is completely invisible and the workaround completely non-trivial, I'm marking this as bug rather than UX issue.

Steps to reproduce

  1. Open GitLab.com or any self-hosted instance while authenticated,
  2. Click on "New Project",
  3. Click "Import project",
  4. Click "Repository by URL",
  5. Start typing in "Git repository URL", "Username (optional)" or "Password (optional)" fields,
  6. Observe validate requests being spawned in the browser's network inspector on every key press.

Example Project

N/A

What is the current bug behavior?

GitLab sends requests to the remote Git server to validate credentials on every key press, most of which are guaranteed to be invalid.

What is the expected correct behavior?

GitLab only sends a validation request once the user is confident in the details they have provided.

Relevant logs and/or screenshots

Screenshot of validation requests spawned while typing in a 15 letter password: validate request screenshot

Successive contents of the body sent to the GitLab validate endpoint:

{"url":"https://gitlab.com/group1/repo1.git","user":"username","password":"m"}
{"url":"https://gitlab.com/group1/repo1.git","user":"username","password":"my"}
{"url":"https://gitlab.com/group1/repo1.git","user":"username","password":"myp"}
{"url":"https://gitlab.com/group1/repo1.git","user":"username","password":"mypa"}
{"url":"https://gitlab.com/group1/repo1.git","user":"username","password":"mypas"}
{"url":"https://gitlab.com/group1/repo1.git","user":"username","password":"mypass"}

Request response, confirming that the remote Git server is being contacted:

{
    "success": false,
    "message": "https://gitlab.com/group1/repo1.git endpoint error: 401 Unauthorized"
}

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

N/A

Results of GitLab application Check

N/A

Possible fixes

The fix would need to change the UX of the import from URL page. This could be the addition of a "Test connection" button, which is standard practice in similar forms, and making it the only way to trigger validation.

Edited by 🤖 GitLab Bot 🤖