Skip to content

GitLab

Closed
Created by Administrator@rootOwner

Export existing repositories to gitlab

Created by: lyrixx

Hello.

Gitlab version : 2.6.3 commit 666cdb22 with One patch :

commit 9dc46f8353d577bc50a339cd335ff977dc6e1cc1
Author: Pierre GUINOISEAU <[email protected]>
Date:   Fri Jun 29 00:57:10 2012 +0200

    Add configurable default for projects_limit

I follow this wiki : https://github.com/gitlabhq/gitlabhq/wiki/Export-existing-repositories-to-gitlab

Here is mine :

#!/bin/bash

#get these two values from your browsers request headers when you login to *your* gitlab website

cookie='Cookie: remember_user_token=BAhbB1sGaQhJIiIkMmEkMTAkaU1BV2FyWmZlVmlJMXNFVEtsR3NYdQY6BkVU--e4cf11dc0599de7fbbefb96af5b21d45e16697da'
csrf='X-CSRF-Token: fbk/4nzmILpH5KOMvMSzKLd4B9F3usG%2B66l7VuZWl34='
gitlab_host='192.168.5.62' #substitute with IP if your server doesn't have a domain name

for r in $(cat repos)
do
  repo=$(echo $r| cut -d':' -f 1)
  path=$(echo $r|cut -d':' -f 2)
  echo $repo
  echo $path

  curl -H "$cookie" -H "$csrf" -H "X-Requested-With: XMLHttpRequest" -d "project[name]=$repo&project[path]=$repo&project[code]=$repo&project[description]=$repo" -i "http://$gitlab_host:3000/projects"

  exit;

  cd $path
  git remote add gitlab "git@$gitlab_host:$repo.git"
  git push gitlab master
  git push gitlab --all #comment out the above line and uncomment this one if you want to push all branches
done

I get the csrf on the page /admin/projects with POST action from the page : /admin/projects/new. The CSRF was in the head of the HTML :

<meta name="csrf-param" content="authenticity_token">
<meta name="csrf-token" content="fbk/4nzmILpH5KOMvMSzKLd4B9F3usG+66l7VuZWl34=">

When i try to run my script, it fails, and here is the error from the server :

Started POST "/projects" for 192.168.5.15 at 2012-07-09 12:31:04 +0200
Processing by ProjectsController#create as */*
  Parameters: {"project"=>{"name"=>"00240-1002-src", "path"=>"00240-1002-src", "code"=>"00240-1002-src", "description"=>"00240-1002-src"}}
WARNING: Can't verify CSRF token authenticity
Completed 500 Internal Server Error in 12ms

NoMethodError (undefined method `errors' for nil:NilClass):
  app/controllers/projects_controller.rb:35:in `rescue in create'
  app/controllers/projects_controller.rb:21:in `create'

Note : In my token i have a "+" that i replace with a %2B

Then i tried to submit csrf trought the form

curl -H "$cookie" -H "$csrf" -H "X-Requested-With: XMLHttpRequest" -d "project[name]=$repo&project[path]=$repo&project[code]=$repo&project[description]=$repo" -i "http://$gitlab_host:3000/projects" -d "authenticity_token=fbk/4nzmILpH5KOMvMSzKLd4B9F3usG%2B66l7VuZWl34="

Same result

Then I tried to disable CSRF protection (i did not work with ruby). After that, it did not get CSRF attack, but still failing with same message

What can i do ?

Other question, but not related : In our current gitolite, we have specific rules (ACL on repos + hierachical users), can we keep them ? like :

 56 repo @all
 57     R                                       = @readers
 58     RWC   master                            = @commiters
 59     RWC   feat-.*                           = @commiters @cpsl @cpes
 60     RW+CD feat-.*                           = @commiters
 61     RW+CD (hotfix|release)-.*               = @lead @dev_senior
 62     RW+CD (feat|hotfix|release|code-review) = @lead
 63     RW+C  master                            = @lead
 64     RW+CD refs/tags/v.*                     = @lead @dev_senior