summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Thomas <nick@gitlab.com>2017-11-02 12:50:05 +0000
committerNick Thomas <nick@gitlab.com>2017-11-02 12:50:05 +0000
commit5c147b6b8ef3f543f98c15ce2a54d4e3f2821303 (patch)
tree3c96c95832a424316dd76d3fef36774d6fbe5b5a
parent506a4e7530854ec4f4775b8df96a272509a553ba (diff)
parent2fd5cc2bff81ddcbce8381bb0c835d1d1717c0ed (diff)
downloadgitlab-ce-5c147b6b8ef3f543f98c15ce2a54d4e3f2821303.tar.gz
Merge branch '3274-geo-route-whitelisting' into 'master'
Geo route whitelisting is too optimistic Closes gitlab-ee#3274 See merge request gitlab-org/gitlab-ce!15082
-rw-r--r--changelogs/unreleased/3274-geo-route-whitelisting.yml5
-rw-r--r--lib/gitlab/middleware/read_only.rb5
-rw-r--r--spec/lib/gitlab/middleware/read_only_spec.rb26
3 files changed, 34 insertions, 2 deletions
diff --git a/changelogs/unreleased/3274-geo-route-whitelisting.yml b/changelogs/unreleased/3274-geo-route-whitelisting.yml
new file mode 100644
index 00000000000..43a5af80497
--- /dev/null
+++ b/changelogs/unreleased/3274-geo-route-whitelisting.yml
@@ -0,0 +1,5 @@
+---
+title: Tighten up whitelisting of certain Geo routes
+merge_request: 15082
+author:
+type: fixed
diff --git a/lib/gitlab/middleware/read_only.rb b/lib/gitlab/middleware/read_only.rb
index 0de0cddcce4..8853dfa3d2d 100644
--- a/lib/gitlab/middleware/read_only.rb
+++ b/lib/gitlab/middleware/read_only.rb
@@ -12,6 +12,7 @@ module Gitlab
def call(env)
@env = env
+ @route_hash = nil
if disallowed_request? && Gitlab::Database.read_only?
Rails.logger.debug('GitLab ReadOnly: preventing possible non read-only operation')
@@ -77,11 +78,11 @@ module Gitlab
end
def grack_route
- request.path.end_with?('.git/git-upload-pack')
+ route_hash[:controller] == 'projects/git_http' && route_hash[:action] == 'git_upload_pack'
end
def lfs_route
- request.path.end_with?('/info/lfs/objects/batch')
+ route_hash[:controller] == 'projects/lfs_api' && route_hash[:action] == 'batch'
end
end
end
diff --git a/spec/lib/gitlab/middleware/read_only_spec.rb b/spec/lib/gitlab/middleware/read_only_spec.rb
index 742a792a1af..86be06ff595 100644
--- a/spec/lib/gitlab/middleware/read_only_spec.rb
+++ b/spec/lib/gitlab/middleware/read_only_spec.rb
@@ -83,6 +83,13 @@ describe Gitlab::Middleware::ReadOnly do
expect(subject).to disallow_request
end
+ it 'expects POST of new file that looks like an LFS batch url to be disallowed' do
+ response = request.post('/root/gitlab-ce/new/master/app/info/lfs/objects/batch')
+
+ expect(response).to be_a_redirect
+ expect(subject).to disallow_request
+ end
+
context 'whitelisted requests' do
it 'expects DELETE request to logout to be allowed' do
response = request.delete('/users/sign_out')
@@ -104,6 +111,25 @@ describe Gitlab::Middleware::ReadOnly do
expect(response).not_to be_a_redirect
expect(subject).not_to disallow_request
end
+
+ it 'expects a POST request to git-upload-pack URL to be allowed' do
+ response = request.post('/root/rouge.git/git-upload-pack')
+
+ expect(response).not_to be_a_redirect
+ expect(subject).not_to disallow_request
+ end
+
+ it 'expects requests to sidekiq admin to be allowed' do
+ response = request.post('/admin/sidekiq')
+
+ expect(response).not_to be_a_redirect
+ expect(subject).not_to disallow_request
+
+ response = request.get('/admin/sidekiq')
+
+ expect(response).not_to be_a_redirect
+ expect(subject).not_to disallow_request
+ end
end
end