diff options
| author | Stan Hu <stanhu@gmail.com> | 2016-08-01 00:16:38 +0000 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2016-08-01 00:16:38 +0000 |
| commit | aa727434d7619956c43c2d72d2edd8a3bd61f535 (patch) | |
| tree | 035ce8fdd4df16eb74d0a3a06140168f8f652ad2 | |
| parent | e299504b798c053817f1c866649542ac0c779924 (diff) | |
| parent | c9ce36e829be6a5991996a495946fe9416747c6e (diff) | |
| download | gitlab-ce-aa727434d7619956c43c2d72d2edd8a3bd61f535.tar.gz | |
Merge branch 'fix-invalid-x-forwarded-for-ip' into 'master'
Ignore invalid IPs in X-Forwarded-For when trusted proxies are configured.
## What does this MR do?
Catches IPAddr::InvalidAddressError exceptions in `trusted_proxy?` when a) a trusted proxy is set up in the gitlab config and b) an invalid IP address is passed to the method (e.g. one with a port attached). When caught, returns `false` from the method. Prevents a 500 error in this situation.
## What are the relevant issue numbers?
Closes gitlab-org/gitlab-ce#20466.
## Does this MR meet the acceptance criteria?
- [X] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [N/A] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [N/A] API support added
- Tests
- [X] Added for this feature/bug
- [X] All builds are passing
- [X] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [X] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [X] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !5584
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | config/initializers/trusted_proxies.rb | 2 | ||||
| -rw-r--r-- | spec/initializers/trusted_proxies_spec.rb | 6 |
3 files changed, 9 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG index 9b66108c160..9075972e6d0 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -40,6 +40,7 @@ v 8.11.0 (unreleased) v 8.10.3 (unreleased) - Fix hooks missing on imported GitLab projects - Properly abort a merge when merge conflicts occur + - Ignore invalid IPs in X-Forwarded-For when trusted proxies are configured. v 8.10.2 - User can now search branches by name. !5144 diff --git a/config/initializers/trusted_proxies.rb b/config/initializers/trusted_proxies.rb index 30770b71e24..cd869657c53 100644 --- a/config/initializers/trusted_proxies.rb +++ b/config/initializers/trusted_proxies.rb @@ -7,6 +7,8 @@ module Rack class Request def trusted_proxy?(ip) Rails.application.config.action_dispatch.trusted_proxies.any? { |proxy| proxy === ip } + rescue IPAddr::InvalidAddressError + false end end end diff --git a/spec/initializers/trusted_proxies_spec.rb b/spec/initializers/trusted_proxies_spec.rb index 52d5a7dffc9..290e47763eb 100644 --- a/spec/initializers/trusted_proxies_spec.rb +++ b/spec/initializers/trusted_proxies_spec.rb @@ -47,6 +47,12 @@ describe 'trusted_proxies', lib: true do expect(request.remote_ip).to eq('1.1.1.1') expect(request.ip).to eq('1.1.1.1') end + + it 'handles invalid ip addresses' do + request = stub_request('HTTP_X_FORWARDED_FOR' => '(null), 1.1.1.1:12345, 1.1.1.1') + expect(request.remote_ip).to eq('1.1.1.1') + expect(request.ip).to eq('1.1.1.1') + end end def stub_request(headers = {}) |