gitea
gitea copied to clipboard
go-gitea
error: RPC failed; HTTP 500 curl 22 The requested URL returned error: 500
Description
I created a new Flutter project and I want to push the source to my Gitea instance. After committing the changes and trying to push them, the below issue is displayed in the terminal:
Enumerating objects: 177, done.
Counting objects: 100% (177/177), done.
Delta compression using up to 16 threads
Compressing objects: 100% (145/145), done.
Writing objects: 100% (176/176), 267.01 KiB | 2.24 MiB/s, done.
Total 176 (delta 21), reused 0 (delta 0), pack-reused 0
error: RPC failed; HTTP 500 curl 22 The requested URL returned error: 500
send-pack: unexpected disconnect while reading sideband packet
fatal: the remote end hung up unexpectedly
Everything up-to-date
Gitea Version
1.22.0
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
Git Version
2.39.3
Operating System
GNU/Linux
How are you running Gitea?
We have our self-hosted Gitea instance. We're using a Linux VM to install it.
Database
PostgreSQL
These are the logs that I found
logs from /var/lib/gitea/log/gitea.log:
2024/06/13 11:52:42 ...s/process/manager.go:188:Add() [T] Start 666ab35a: GET: /muhammad.hasan/a.git/info/refs?service=git-receive-pack (request)
2024/06/13 11:52:42 ...eb/routing/logger.go:47:func1() [T] router: started GET /muhammad.hasan/a.git/info/refs?service=git-receive-pack for 10.10.10.20:0
2024/06/13 11:52:42 ...rvices/auth/basic.go:67:Verify() [T] Basic Authorization: Attempting login for: muhammad.hasan
2024/06/13 11:52:42 ...rvices/auth/basic.go:92:Verify() [T] Basic Authorization: Valid AccessToken for user[0]
2024/06/13 11:52:42 models/repo/repo.go:367:LoadUnits() [T] repo.Units, ID=98, Types: [TypeCode, TypeIssues, TypePullRequests, TypeReleases, TypeWiki, TypeProjects, TypePackages, TypeActions]
2024/06/13 11:52:42 ...s/repo_permission.go:199:func1() [T] Permission Loaded for user <User 1:muhammad.hasan> in repo <Repository 98:muhammad.hasan/a>, permissions: {AccessMode:4 units:[0xc006b5a5c0 0xc006b5a600 0xc006b5a680 0xc006b5a6c0 0xc006b5a700 0xc006b5a740 0xc006b5a780 0xc006b5a7c0] unitsMode:map[] everyoneAccessMode:map[]}
2024/06/13 11:52:42 ...dules/git/command.go:291:Run() [D] git.Command.RunDir(/var/lib/gitea/data/gitea-repositories/muhammad.hasan/a.git): /usr/bin/git -c protocol.version=2 -c credential.helper= -c filter.lfs.required= -c filter.lfs.smudge= -c filter.lfs.clean= receive-pack --stateless-rpc --advertise-refs .
2024/06/13 11:52:42 ...s/process/manager.go:188:Add() [T] Start 666ab35a-2: git(dir:/var/lib/gitea/data/gitea-repositories/muhammad.hasan/a.git): /usr/bin/git -c protocol.version=2 -c credential.helper= -c filter.lfs.required= -c filter.lfs.smudge= -c filter.lfs.clean= receive-pack --stateless-rpc --advertise-refs . (from 666ab35a) (normal)
2024/06/13 11:52:42 ...s/process/manager.go:231:remove() [T] Done 666ab35a-2: git(dir:/var/lib/gitea/data/gitea-repositories/muhammad.hasan/a.git): /usr/bin/git -c protocol.version=2 -c credential.helper= -c filter.lfs.required= -c filter.lfs.smudge= -c filter.lfs.clean= receive-pack --stateless-rpc --advertise-refs .
2024/06/13 11:52:42 ...eb/routing/logger.go:102:func1() [I] router: completed GET /muhammad.hasan/a.git/info/refs?service=git-receive-pack for 10.10.10.20:0, 200 OK in 40.7ms @ repo/githttp.go:517(repo.GetInfoRefs)
2024/06/13 11:52:42 ...s/process/manager.go:231:remove() [T] Done 666ab35a: GET: /muhammad.hasan/a.git/info/refs?service=git-receive-pack
Hi @MuhmdHsn313, those logs provide a successful response. Are you able to provide the logs that give a 500 and the error surrounding it?
@MuhmdHsn313 here are some docs on to how to enable more detailed logs: https://docs.gitea.com/help/support#more-config-options-for-logs
Dear @lunny and @techknowlogick ,
Our firewall has flagged a potential security concern related to an injection vulnerability (OWASP Top 10: A03:2021 - Injection). This issue may stem from improper handling of untrusted input, which could lead to OS command injection attacks. Could you kindly review the input validation mechanisms to address this?
Details:
-
Injection Vulnerability:
- OWASP Top10: A03:2021 - Injection
- Main Type: Signature Detection
- Signature Subclass Type: OS Command Injection Attacks
- Signature ID: 050010002
-
Vulnerable and Outdated Components:
- CVE IDs: CVE-2021-44228, CVE-2021-45046, CVE-2021-4104
- OWASP Top10: A06:2021 - Vulnerable and Outdated Components
- OWASP API Top10: API8:2023 - Security Misconfiguration
- Main Type: Signature Detection
- Signature Subclass Type: Signatures for Web Servers
- Signature ID: 090490121
Could you also review and address the vulnerabilities related to outdated components? More information on the Injection vulnerability can be found here.
I made a new git commit on the local repository, after that I tried to push it to the remote repo, when I perform git push, I got a my firewall block the pushing and I got security issue report.
- The issue
Client Risk Malicious
Source Country or Region Reserved
CVE ID N/A
OWASP Top10 A03:2021-Injection
OWASP API Top10
N/A
Main Type SQL/XSS Syntax Based Detection
Sub Type Line Comments
Signature Subclass Type N/A
Signature ID N/A
Message
Parameter((Z6\) triggered Line Comments of policy QDC-SQL-XSS
- Firewall report metadata
- Path:
<GITEA_URL>/ORG/REPO.git/git-receive-pack - Links: https://owasp.org/Top10/A03_2021-Injection/
- Path:
I think all these are false alerts and unrelated. And please send a security report to [email protected]. I will delete this issue very soon.
Your WAF or other firewalls blocked the git request/response. Not need to trust these false alarms.
