Add latest changes from gitlab-org/gitlab@15-9-stable-ee

8 files changed, 30 insertions, 51 deletions

diff --git a/doc/user/clusters/agent/install/index.md b/doc/user/clusters/agent/install/index.md
index bb9a9c371a2..297210ab8ef 100644
--- a/doc/user/clusters/agent/install/index.md
+++ b/doc/user/clusters/agent/install/index.md
@@ -155,10 +155,6 @@ helm upgrade --install gitlab-agent gitlab/gitlab-agent \
   ...
 ```
 
-NOTE:
-DNS rebind protection is disabled when either the HTTP_PROXY or the HTTPS_PROXY environment variable is set,
-and the domain DNS can't be resolved.
-
 #### Advanced installation method
 
 GitLab also provides a [KPT package for the agent](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/tree/master/build/deployment/gitlab-agent). This method provides greater flexibility, but is only recommended for advanced users.
diff --git a/doc/user/project/import/github.md b/doc/user/project/import/github.md
index 9298dab6f64..eeebb5a166c 100644
--- a/doc/user/project/import/github.md
+++ b/doc/user/project/import/github.md
@@ -7,8 +7,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 # Import your project from GitHub to GitLab **(FREE)**
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/381902) in GitLab 15.8, GitLab no longer automatically creates namespaces or groups that don't exist. GitLab also no longer falls back to using the user's personal namespace if the namespace or group name is taken.
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/378267) in GitLab 15.9, GitLab instances behind proxies no longer require `github.com` and `api.github.com` entries in the [allowlist for local requests](../../../security/webhooks.md#create-an-allowlist-for-local-requests).
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/381902) in GitLab 15.8, GitLab no longer automatically creates namespaces or groups that don't exist. GitLab also no longer falls back to using the user's personal namespace if the namespace or group name is taken.
 
 You can import your GitHub projects from either GitHub.com or GitHub Enterprise. Importing projects does not
 migrate or import any types of groups or organizations from GitHub to GitLab.
@@ -63,8 +62,9 @@ prerequisites for those imports.
 If you are importing from GitHub Enterprise to a self-managed GitLab instance:
 
 - You must first enable the [GitHub integration](../../../integration/github.md).
-- For GitLab 15.8 and earlier, you must add `github.com` and `api.github.com` entries in the
-  [allowlist for local requests](../../../security/webhooks.md#create-an-allowlist-for-local-requests).
+- If GitLab is behind a HTTP/HTTPS proxy, you must populate the [allowlist for local requests](../../../security/webhooks.md#create-an-allowlist-for-local-requests)
+  with `github.com` and `api.github.com` to solve the hostname. For more information, read the issue
+  [Importing a GitHub project requires DNS resolution even when behind a proxy](https://gitlab.com/gitlab-org/gitlab/-/issues/37941).
 
 ### Importing from GitHub.com to self-managed GitLab
 
diff --git a/lib/gitlab/http_connection_adapter.rb b/lib/gitlab/http_connection_adapter.rb
index aec430f2686..3ef60be67a9 100644
--- a/lib/gitlab/http_connection_adapter.rb
+++ b/lib/gitlab/http_connection_adapter.rb
@@ -59,6 +59,8 @@ module Gitlab
     end
 
     def dns_rebind_protection?
+      return false if Gitlab.http_proxy_env?
+
       Gitlab::CurrentSettings.dns_rebinding_protection_enabled?
     end
 
diff --git a/lib/gitlab/octokit/middleware.rb b/lib/gitlab/octokit/middleware.rb
index 0e47672bb3c..a92860f7eb8 100644
--- a/lib/gitlab/octokit/middleware.rb
+++ b/lib/gitlab/octokit/middleware.rb
@@ -11,8 +11,7 @@ module Gitlab
         Gitlab::UrlBlocker.validate!(env[:url],
           schemes: %w[http https],
           allow_localhost: allow_local_requests?,
-          allow_local_network: allow_local_requests?,
-          dns_rebind_protection: dns_rebind_protection?
+          allow_local_network: allow_local_requests?
         )
 
         @app.call(env)
@@ -23,10 +22,6 @@ module Gitlab
       def allow_local_requests?
         Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?
       end
-
-      def dns_rebind_protection?
-        Gitlab::CurrentSettings.dns_rebinding_protection_enabled?
-      end
     end
   end
 end
diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb
index b620e9b4560..00e609511f2 100644
--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -121,8 +121,8 @@ module Gitlab
         end
       rescue SocketError
         # If the dns rebinding protection is not enabled or the domain
-        # is allowed, or HTTP_PROXY is set we avoid the dns rebinding checks
-        return if domain_allowed?(uri) || !dns_rebind_protection || Gitlab.http_proxy_env?
+        # is allowed we avoid the dns rebinding checks
+        return if domain_allowed?(uri) || !dns_rebind_protection
 
         # In the test suite we use a lot of mocked urls that are either invalid or
         # don't exist. In order to avoid modifying a ton of tests and factories
diff --git a/spec/lib/gitlab/http_connection_adapter_spec.rb b/spec/lib/gitlab/http_connection_adapter_spec.rb
index 5137e098e2d..5e2c6be8993 100644
--- a/spec/lib/gitlab/http_connection_adapter_spec.rb
+++ b/spec/lib/gitlab/http_connection_adapter_spec.rb
@@ -111,6 +111,20 @@ RSpec.describe Gitlab::HTTPConnectionAdapter do
       end
     end
 
+    context 'when http(s) environment variable is set' do
+      before do
+        stub_env('https_proxy' => 'https://my.proxy')
+      end
+
+      it 'sets up the connection' do
+        expect(connection).to be_a(Gitlab::NetHttpAdapter)
+        expect(connection.address).to eq('example.org')
+        expect(connection.hostname_override).to eq(nil)
+        expect(connection.addr_port).to eq('example.org')
+        expect(connection.port).to eq(443)
+      end
+    end
+
     context 'when URL scheme is not HTTP/HTTPS' do
       let(:uri) { URI('ssh://example.org') }
 
diff --git a/spec/lib/gitlab/octokit/middleware_spec.rb b/spec/lib/gitlab/octokit/middleware_spec.rb
index f7063f2c4f2..5555990b113 100644
--- a/spec/lib/gitlab/octokit/middleware_spec.rb
+++ b/spec/lib/gitlab/octokit/middleware_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe Gitlab::Octokit::Middleware, feature_category: :importers do
   let(:app) { double(:app) }
   let(:middleware) { described_class.new(app) }
 
-  shared_examples 'Allowed URL' do
+  shared_examples 'Public URL' do
     it 'does not raise an error' do
       expect(app).to receive(:call).with(env)
 
@@ -14,7 +14,7 @@ RSpec.describe Gitlab::Octokit::Middleware, feature_category: :importers do
     end
   end
 
-  shared_examples 'Blocked URL' do
+  shared_examples 'Local URL' do
     it 'raises an error' do
       expect { middleware.call(env) }.to raise_error(Gitlab::UrlBlocker::BlockedUrlError)
     end
@@ -24,24 +24,7 @@ RSpec.describe Gitlab::Octokit::Middleware, feature_category: :importers do
     context 'when the URL is a public URL' do
       let(:env) { { url: 'https://public-url.com' } }
 
-      it_behaves_like 'Allowed URL'
-
-      context 'with failed address check' do
-        before do
-          stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
-          allow(Addrinfo).to receive(:getaddrinfo).and_raise(SocketError)
-        end
-
-        it_behaves_like 'Blocked URL'
-
-        context 'with disabled dns rebinding check' do
-          before do
-            stub_application_setting(dns_rebinding_protection_enabled: false)
-          end
-
-          it_behaves_like 'Allowed URL'
-        end
-      end
+      it_behaves_like 'Public URL'
     end
 
     context 'when the URL is a localhost address' do
@@ -52,7 +35,7 @@ RSpec.describe Gitlab::Octokit::Middleware, feature_category: :importers do
           stub_application_setting(allow_local_requests_from_web_hooks_and_services: false)
         end
 
-        it_behaves_like 'Blocked URL'
+        it_behaves_like 'Local URL'
       end
 
       context 'when localhost requests are allowed' do
@@ -60,7 +43,7 @@ RSpec.describe Gitlab::Octokit::Middleware, feature_category: :importers do
           stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
         end
 
-        it_behaves_like 'Allowed URL'
+        it_behaves_like 'Public URL'
       end
     end
 
@@ -72,7 +55,7 @@ RSpec.describe Gitlab::Octokit::Middleware, feature_category: :importers do
           stub_application_setting(allow_local_requests_from_web_hooks_and_services: false)
         end
 
-        it_behaves_like 'Blocked URL'
+        it_behaves_like 'Local URL'
       end
 
       context 'when local network requests are allowed' do
@@ -80,7 +63,7 @@ RSpec.describe Gitlab::Octokit::Middleware, feature_category: :importers do
           stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
         end
 
-        it_behaves_like 'Allowed URL'
+        it_behaves_like 'Public URL'
       end
     end
 
diff --git a/spec/lib/gitlab/url_blocker_spec.rb b/spec/lib/gitlab/url_blocker_spec.rb
index 0d037984799..05f7af7606d 100644
--- a/spec/lib/gitlab/url_blocker_spec.rb
+++ b/spec/lib/gitlab/url_blocker_spec.rb
@@ -174,17 +174,6 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
 
           expect { subject }.to raise_error(described_class::BlockedUrlError)
         end
-
-        context 'with HTTP_PROXY' do
-          before do
-            allow(Gitlab).to receive(:http_proxy_env?).and_return(true)
-          end
-
-          it_behaves_like 'validates URI and hostname' do
-            let(:expected_uri) { import_url }
-            let(:expected_hostname) { nil }
-          end
-        end
       end
 
       context 'when domain is too long' do