Possible Gitlab API Bug

Hello!

I think I may have found a bug with the REST API.

I’m trying to create a release with a formatted description and I’m receiving a 400 BAD REQUEST with no body when I make a request against the releases endpoint and pass a description with newline characters in it.

Repro steps below:
cat <<EOF > tst.txt test test EOF

DESCRIPTION=$(cat tst.txt)

curl --header "Content-Type: application/json" --header "Private-Token: $ACCESS_TOKEN" --data-binary "{\"name\": \"$CI_COMMIT_TAG\", \"tag_name\": \"$CI_COMMIT_TAG\", \"$DESCRIPTION\": \"\"}" https://gitlab.com/api/v4/projects/PROJECT_ID/releases/

Response:

< HTTP/1.1 400 Bad Request
< Server: nginx
< Date: Thu, 06 Jun 2019 23:43:23 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 0
< X-Request-Id: Q7pCABr9031
< X-Runtime: 0.100442
< RateLimit-Limit: 600
< RateLimit-Observed: 3
< RateLimit-Remaining: 597
< RateLimit-Reset: 1559864663
< RateLimit-ResetTime: Thu, 06 Jun 2019 23:44:23 GMT
<
* Connection #0 to host gitlab.com left intact

I am facing the same issue but I would say is not related to newlines in the description.
I tried different approaches for description and nothing works. Follow the Release API documentation is so shallow one can not figure out what could be the error.

When I remove the content type the error says: tag_name and description are missing
When I quote the tag_name the error says: ref is missing
When I unquote tag_name I got a BAD_REQUEST, due missing quotes on tag_name

Hi,

can you please share your requests from the command line? That helps reproduce the problem. The original post uses a wrong key for the description resulting in a bad request, description is required by the docs table.

Cheers,
Michael

The command output is like this (some sensitive info replaced):

    curl -vS -H "Content-Type: application/json;charset=utf-8" -H "Private-Token: ********(suppressed)*******" -d '{"name": "Release version v0.1.123", "tag_name": "v0.1.123", "description": "App version 0.1.123 <
/p> **Changelog**: </p> 1. a496a2c - Instructions to access S3 files by Rogerio R. (user@mails-server.com)
1. d324f1b - Tweak memory definition based on tips for docker by Rogerio R. (user@mails-server.com)
1. 6cf9b6b - Create missing files by Rogerio R. (user@mails-server.com) </p>"}' "https://git.acme.com/api/v4/projects/3283/releases"
> POST /api/v4/projects/3283/releases HTTP/2
> Host: git.acme.com
> user-agent: curl/7.67.0
> accept: */*
> content-type: application/json;charset=utf-8
> private-token: ********(suppressed)*******
> content-length: 8
> 
* We are completely uploaded and fine
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 400 
< server: nginx
< date: Fri, 03 Jan 2020 17:47:50 GMT
< content-type: text/html; charset=utf-8
< content-length: 0
< x-request-id: 7MntJoZzeJ3
< x-runtime: 0.003032
< 
* Connection #0 to host git.acme.com left intact

I removed the assets node from payload cause sometimes I got an error related to link scheme on allowing https, http or ftp even though I was using a valid link.
I replaced the html tags by using ampersand notation &lt; and &gt; without success

Additional info: I am using GitLab Enterprise Edition 12.6.1-ee

I figure out how to make my call works. I am using the follow command to produce a change log alongside description

git log v0.1.0.. --oneline --pretty="1. %h - %s by %an (%ae)"| grep -vi merge

Maybe due line breakings the payload end up invalid. Redirecting the output to a file first and using the resulting file as a -d @filename creates a valid POST

Another issue that could be reproduced is:

Create a merge request and name it with quotes: PROJ 001 “My changes”

when the release API is called the error is raised and the release is not created