Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Git LFS with a token doesn't work with GitHub Enterprise Server without subdomain isolation

See original GitHub issue

We have found an issue regarding GitHub checkout action v2, Git LFS and GitHub Enterprise Server (on Azure).

We have a very simply workflow which doesn’t work:

- uses: actions/checkout@v2
  with:
    lfs: 'true'

All git lfs request will be rejected with following error: HTTP/1.1 400 Bad Request By enabling GIT_TRACE=1 and GIT_CURL_VERBOSE=1 we see following:

> GET /storage/lfs/3/objects/d5c5871801d62c64f453462558c3a4697ac162730e49d48461ce87bafa83684c HTTP/1.1
> Host: ***.westeurope.cloudapp.azure.com
> Authorization: RemoteAuth AAAAAF72C****
> Authorization: Basic * * * * *
> User-Agent: git-lfs/2.12.1 (GitHub; windows amd64; go 1.14.10; git 85b28e06)
....
> HTTP/1.1 400 Bad Request
> Content-Length: 150
> Content-Type: text/html
> Date: Thu, 17 Dec 2020 10:25:15 GMT
> Server: GitHub.com

My current understanding: The GitHub checkout action is using the extraheader option with basic authorization in the local git config. So for each request this basic authorization header will be used.

In additional a remoteAuth authorization header will be added as result of the git lfs batch api reponse /info/lfs/objects/batch:

{
    "objects": [
        {
            "oid": "fcc622faad3b44962e9211cc2fd478e7c0480d516098fab011ccdb1d29fbde81",
            "size": 4612119,
            "actions": {
                "download": {
                    "href": "...",
                    "header": {
                        "Authorization": "RemoteAuth AAAAAMHDN3KJWR****"
                    }
                }
            }
        }
     ]
 }

Now we have two authorization headers.

In this comment https://github.com/git-lfs/git-lfs/issues/4031#issuecomment-589254543 one of the git lfs maintainer mentions that the git lfs server only allows request with one authorization header. So all requests with two authorization headers will be rejected.

Issue Analytics

State:
Created 3 years ago
Reactions:6
Comments:14

Top GitHub Comments

3reactions

larsxschneidercommented, Jan 15, 2021

@Roda83 I have a suspicion what is going on:

On your machine subdomain isolation is not enabled. Therefore, the Git Authorization header is automatically applied since it is the very same domain as the Git clone URL. In my test case subdomain isolation is enabled. Therefore, the LFS files are downloaded from a different domain (media.foo.bar) and no additional header is applied.

In general it is highly recommended to enable subdomain isolation as this is an important GHES security feature. More info here: https://docs.github.com/en/enterprise-server@2.22/admin/configuration/enabling-subdomain-isolation

We will try to fix this problem. Can you try to enable subdomain isolation in the meantime?

2reactions

ghostcommented, Jan 22, 2021

@ericsciple Yes currently we are using the checkout-action v2 with lfs: false and persist-credentials: false and a second action to perform a git-lfs pull over SSH. This works as workaround at the moment until we will enable subdomain isolation on our system.