fix: improve handling of errors in proxy filter functions and 403 errors on block

kriswest · kriswest · commit 8d1183d7ae36 · 2025-08-20T18:45:16.000+01:00
diff --git a/src/proxy/routes/index.ts b/src/proxy/routes/index.ts
@@ -29,14 +29,19 @@ const logAction = (
 const proxyFilter: ProxyOptions['filter'] = async (req, res) => {
   try {
     const urlComponents = processUrlPath(req.url);
-
     if (
       !urlComponents ||
       urlComponents.gitPath === undefined ||
       !validGitRequest(urlComponents.gitPath, req.headers)
     ) {
-      res.status(400).send('Invalid request received');
-      console.log('action blocked');
+      logAction(
+        req.url,
+        req.headers.host,
+        req.headers['user-agent'],
+        'Invalid request received',
+        null,
+      );
+      res.status(400).send(handleMessage('Invalid request received'));
       return false;
     }
 
@@ -51,17 +56,7 @@ const proxyFilter: ProxyOptions['filter'] = async (req, res) => {
       res.set('x-frame-options', 'DENY');
       res.set('connection', 'close');
 
-      let message = '';
-
-      if (action.error) {
-        message = action.errorMessage!;
-        console.error(message);
-      }
-      if (action.blocked) {
-        message = action.blockedMessage!;
-      }
-
-      const packetMessage = handleMessage(message);
+      const packetMessage = handleMessage(action.errorMessage ?? action.blockedMessage ?? '');
 
       logAction(
         req.url,
@@ -70,9 +65,7 @@ const proxyFilter: ProxyOptions['filter'] = async (req, res) => {
         action.errorMessage,
         action.blockedMessage,
       );
-
-      res.status(200).send(packetMessage);
-
+      res.status(403).send(packetMessage);
       return false;
     }
 
@@ -84,16 +77,20 @@ const proxyFilter: ProxyOptions['filter'] = async (req, res) => {
       action.blockedMessage,
     );
 
+    // this is the only case where we do not respond directly, instead we return true to proxy the request
     return true;
   } catch (e) {
-    console.error('Error occurred in proxy filter function ', e);
+    const packetMessage = handleMessage(`Error occurred in proxy filter function ${e}`);
+
     logAction(
       req.url,
       req.headers.host,
       req.headers['user-agent'],
       'Error occurred in proxy filter function: ' + ((e as Error).message ?? e),
       null,
     );
+
+    res.status(500).send(packetMessage);
     return false;
   }
 };
@@ -140,7 +137,9 @@ const isPackPost = (req: Request) =>
   /^(?:\/[^/]+)*\/[^/]+\.git\/(?:git-upload-pack|git-receive-pack)$/.test(req.url);
 
 const teeAndValidate = async (req: Request, res: Response, next: NextFunction) => {
-  if (!isPackPost(req)) return next();
+  if (!isPackPost(req)) {
+    return next();
+  }
 
   const proxyStream = new PassThrough();
   const pluginStream = new PassThrough();
@@ -152,17 +151,16 @@ const teeAndValidate = async (req: Request, res: Response, next: NextFunction) =
     const buf = await getRawBody(pluginStream, { limit: '1gb' });
     (req as any).body = buf;
     const verdict = await executeChain(req, res);
-    console.log('action processed');
     if (verdict.error || verdict.blocked) {
-      let msg = '';
+      const msg = verdict.errorMessage ?? verdict.blockedMessage ?? '';
 
-      if (verdict.error) {
-        msg = verdict.errorMessage!;
-        console.error(msg);
-      }
-      if (verdict.blocked) {
-        msg = verdict.blockedMessage!;
-      }
+      logAction(
+        req.url,
+        req.headers?.host,
+        req.headers?.['user-agent'],
+        verdict.errorMessage,
+        verdict.blockedMessage,
+      );
 
       res
         .set({
@@ -174,7 +172,7 @@ const teeAndValidate = async (req: Request, res: Response, next: NextFunction) =
           'x-frame-options': 'DENY',
           connection: 'close',
         })
-        .status(200)
+        .status(403)
         .send(handleMessage(msg));
       return;
     }
@@ -233,8 +231,9 @@ const getRouter = async () => {
   console.log('proxy keys registered: ', JSON.stringify(proxyKeys));
 
   router.use('/', (req, res, next) => {
-    console.log(`processing request URL: '${req.url}'`);
-    console.log('proxy keys registered: ', JSON.stringify(proxyKeys));
+    console.log(
+      `processing request URL: '${req.url}' against registered proxy keys: ${JSON.stringify(proxyKeys)}`,
+    );
 
     for (let i = 0; i < proxyKeys.length; i++) {
       if (req.url.startsWith(proxyKeys[i])) {
diff --git a/test/teeAndValidation.test.js b/test/teeAndValidation.test.js
@@ -56,7 +56,7 @@ describe('teeAndValidate middleware', () => {
     expect(next.called).to.be.false;
 
     expect(res.set.called).to.be.true;
-    expect(res.status.calledWith(200)).to.be.true;
+    expect(res.status.calledWith(403)).to.be.true;
     expect(res.send.calledWith(handleMessage('denied!'))).to.be.true;
   });
 
diff --git a/test/testProxyRoute.test.js b/test/testProxyRoute.test.js
@@ -18,16 +18,26 @@ import Proxy from '../src/proxy';
 const TEST_DEFAULT_REPO = {
   url: 'https://github.com/finos/git-proxy.git',
   name: 'git-proxy',
-  project: 'finos/gitproxy',
+  project: 'finos/git-proxy',
   host: 'github.com',
+  proxyUrlPrefix: '/github.com/finos/git-proxy.git',
 };
 
 const TEST_GITLAB_REPO = {
   url: 'https://gitlab.com/gitlab-community/meta.git',
   name: 'gitlab',
   project: 'gitlab-community/meta',
   host: 'gitlab.com',
-  proxyUrlPrefix: 'gitlab.com/gitlab-community/meta.git',
+  proxyUrlPrefix: '/gitlab.com/gitlab-community/meta.git',
+};
+
+const TEST_UNKNOWN_REPO = {
+  url: 'https://github.com/finos/fdc3.git',
+  name: 'fdc3',
+  project: 'finos/fdc3',
+  host: 'github.com',
+  proxyUrlPrefix: '/github.com/finos/fdc3.git',
+  fallbackUrlPrefix: '/finos/fdc3.git',
 };
 
 describe('proxy route filter middleware', () => {
@@ -42,6 +52,10 @@ describe('proxy route filter middleware', () => {
     sinon.restore();
   });
 
+  after(() => {
+    sinon.restore();
+  });
+
   it('should reject invalid git requests with 400', async () => {
     const res = await chai
       .request(app)
@@ -50,7 +64,7 @@ describe('proxy route filter middleware', () => {
       .set('accept', 'application/x-git-upload-pack-request');
 
     expect(res).to.have.status(400);
-    expect(res.text).to.equal('Invalid request received');
+    expect(res.text).to.contain('Invalid request received');
   });
 
   it('should handle blocked requests and return custom packet message', async () => {
@@ -68,7 +82,7 @@ describe('proxy route filter middleware', () => {
       .send(Buffer.from('0000'))
       .buffer();
 
-    expect(res.status).to.equal(200);
+    expect(res.status).to.equal(403);
     expect(res.text).to.contain('You shall not push!');
     expect(res.headers['content-type']).to.include('application/x-git-receive-pack-result');
     expect(res.headers['x-frame-options']).to.equal('DENY');
@@ -321,13 +335,6 @@ describe('proxy express application', async () => {
   };
 
   before(async () => {
-    // pass through requests
-    sinon.stub(chain, 'executeChain').resolves({
-      blocked: false,
-      blockedMessage: '',
-      error: false,
-    });
-
     // start the API and proxy
     proxy = new Proxy();
     apiApp = await service.start(proxy);
@@ -364,7 +371,7 @@ describe('proxy express application', async () => {
     // proxy a fetch request
     const res = await chai
       .request(proxy.getExpressApp())
-      .get('/github.com/finos/git-proxy.git/info/refs?service=git-upload-pack')
+      .get(`${TEST_DEFAULT_REPO.proxyUrlPrefix}/info/refs?service=git-upload-pack`)
       .set('user-agent', 'git/2.42.0')
       .set('accept', 'application/x-git-upload-pack-request')
       .buffer();
@@ -373,11 +380,11 @@ describe('proxy express application', async () => {
     expect(res.text).to.contain('git-upload-pack');
   });
 
-  it('should proxy requests for the default GitHub repository using the backwards compatibility URL', async function () {
+  it('should proxy requests for the default GitHub repository using the fallback URL', async function () {
     // proxy a fetch request using a fallback URL
     const res = await chai
       .request(proxy.getExpressApp())
-      .get('/finos/git-proxy.git/info/refs?service=git-upload-pack')
+      .get(`${TEST_DEFAULT_REPO.proxyUrlPrefix}/info/refs?service=git-upload-pack`)
       .set('user-agent', 'git/2.42.0')
       .set('accept', 'application/x-git-upload-pack-request')
       .buffer();
@@ -415,7 +422,7 @@ describe('proxy express application', async () => {
     // proxy a request to the new repo
     const res2 = await chai
       .request(proxy.getExpressApp())
-      .get(`/${TEST_GITLAB_REPO.proxyUrlPrefix}/info/refs?service=git-upload-pack`)
+      .get(`${TEST_GITLAB_REPO.proxyUrlPrefix}/info/refs?service=git-upload-pack`)
       .set('user-agent', 'git/2.42.0')
       .set('accept', 'application/x-git-upload-pack-request')
       .buffer();
@@ -442,23 +449,53 @@ describe('proxy express application', async () => {
     res.should.have.status(200);
 
     // confirm that its gone from the DB
-    repo = await db.getRepoByUrl(
-      TEST_GITLAB_REPO.url,
+    repo = await db.getRepoByUrl(TEST_GITLAB_REPO.url);
+    expect(
+      repo,
       'The GitLab repo still existed in the database after it should have been deleted...',
-    );
-    expect(repo).to.be.null;
+    ).to.be.null;
 
     // give the proxy half a second to restart
     await new Promise((resolve) => setTimeout(resolve, 500));
 
     // try (and fail) to proxy a request to gitlab.com
     const res2 = await chai
       .request(proxy.getExpressApp())
-      .get(`/${TEST_GITLAB_REPO.proxyUrlPrefix}/info/refs?service=git-upload-pack`)
+      .get(`${TEST_GITLAB_REPO.proxyUrlPrefix}/info/refs?service=git-upload-pack`)
       .set('user-agent', 'git/2.42.0')
       .set('accept', 'application/x-git-upload-pack-request')
       .buffer();
 
-    res2.should.have.status(404);
+    res2.should.have.status(403);
+  }).timeout(5000);
+
+  it('should not proxy requests for an unknown project', async function () {
+    // We are testing that the proxy stops proxying requests for a particular origin
+    // The chain is stubbed and will always passthrough requests, hence, we are only checking what hosts are proxied.
+
+    // the gitlab test repo should already exist
+    const repo = await db.getRepoByUrl(TEST_UNKNOWN_REPO.url);
+    expect(
+      repo,
+      'The unknown (but real) repo existed in the database which is not expected for this test',
+    ).to.be.null;
+
+    // try (and fail) to proxy a request to the repo directly
+    const res = await chai
+      .request(proxy.getExpressApp())
+      .get(`${TEST_UNKNOWN_REPO.proxyUrlPrefix}/info/refs?service=git-upload-pack`)
+      .set('user-agent', 'git/2.42.0')
+      .set('accept', 'application/x-git-upload-pack-request')
+      .buffer();
+    res.should.have.status(403);
+
+    // try (and fail) to proxy a request to the repo via the fallback URL directly
+    const res2 = await chai
+      .request(proxy.getExpressApp())
+      .get(`${TEST_UNKNOWN_REPO.fallbackUrlPrefix}/info/refs?service=git-upload-pack`)
+      .set('user-agent', 'git/2.42.0')
+      .set('accept', 'application/x-git-upload-pack-request')
+      .buffer();
+    res2.should.have.status(403);
   }).timeout(5000);
 });
