Gitlab OAUTH, not all Gitlab groups assigned because Gitlab Link URLs from Repsonse Header are not recognized


can some one help on this issue. We are using the latest 8.9.1LTS version (Version 8.9.1 (build 44547)).

We have many groups in Gitlab. When logging in via OAUTH/Gitlab, not all groups are found and thus not all assignments to Sonarqube groups are done.
The reason is the case-sensitive evaluation of the response headers in Sonarqube. Currently only “Link” is evaluated:

    String link = response.getHeader("Link");

We use HAPROXY which converts all responses to lower case.

According to the documentation this is standard and the workaround (works only for HTTP/1) in the settings should not be used permanently.
The method should be changed to case-insensitive evaluation.

Extract from the HAPROXY documentation:

“When HAProxy receives an HTTP/1 request, its header names are converted to
lower case and manipulated and sent this way to the servers.

There is no standard case for header names because, as stated in RFC7230,
they are case-insensitive. So applications must handle them in a case-
insensitive manner.

… it is possible to transform the lower case eader names to a
different format when the request is formatted and sent to the server, …
using the global directives “h1-case-adjust”

This must only be a temporary workaround for the time it takes the client to be
fixed, because clients which require such workarounds might be vulnerable to
content smuggling attacks and must absolutely be fixed.”

Thanks for any help in advance

1 Like

Hi, welcome to the community forum!

Thanks for taking the time to report this and for the investigation. This change makes sense to me, I created a ticket in our backlog to track the effort.

Many thanks, this will help us a lot. :slightly_smiling_face:

Will this fix be part of upcoming 9.x and 8.9LTS?

It might not be part of 9.0, as the release is due in 2 days. But in the 9.X series, yes, most likely.

It’s not scheduled for a backport in 8.9 (Yet, anyway). Our backport policy is quite strict, and we backport only critical bugs. I don’t think this issue qualifies for a backport.

Your easiest option might be to upgrade to 9.X once the issue gets fixed.

Thanks for the info. Actually we wanted to stay on the LTS version. We will check if it is possible to switch to 9.x. In parallel we will test the reconfiguration on the HAPROXY.

1 Like