diff options
| author | Thong Kuah <tkuah@gitlab.com> | 2019-07-19 14:12:02 +1200 |
|---|---|---|
| committer | Thong Kuah <tkuah@gitlab.com> | 2019-08-21 10:49:22 +1200 |
| commit | e0826b0cb522dc4a112f6617c6fb222f6e3f4ce2 (patch) | |
| tree | a2a6c17994951dc48443ed99fc7313b4a9e849d3 /config | |
| parent | 80c57bf6d13d6025a9568afb9cca36c279fac593 (diff) | |
| download | gitlab-ce-e0826b0cb522dc4a112f6617c6fb222f6e3f4ce2.tar.gz | |
Override hostname when connecting via Kubeclient
Kubeclient uses rest-client. We hack into to access the net/http object
so that we can patch to connect to the resolved IP + set
hostname_override.
Add specs for discord. The discord integration also uses rest-client, so
since we patched rest-client, spec that the DNS rebinding protection
works
Diffstat (limited to 'config')
| -rw-r--r-- | config/initializers/rest-client-hostname_override.rb | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/config/initializers/rest-client-hostname_override.rb b/config/initializers/rest-client-hostname_override.rb new file mode 100644 index 00000000000..bc1b70bd73f --- /dev/null +++ b/config/initializers/rest-client-hostname_override.rb @@ -0,0 +1,49 @@ +# frozen_string_literal: true + +module RestClient + class Request + attr_accessor :hostname_override + + module UrlBlocker + def transmit(uri, req, payload, &block) + begin + ip, hostname_override = Gitlab::UrlBlocker.validate!(uri, allow_local_network: allow_settings_local_requests?, + allow_localhost: allow_settings_local_requests?, + dns_rebind_protection: dns_rebind_protection?) + + self.hostname_override = hostname_override + rescue Gitlab::UrlBlocker::BlockedUrlError => e + raise ArgumentError, "URL '#{uri}' is blocked: #{e.message}" + end + + # Gitlab::UrlBlocker returns a Addressable::URI which we need to coerce + # to URI so that rest-client can use it to determine if it's a + # URI::HTTPS or not. It uses it to set `net.use_ssl` to true or not: + # + # https://github.com/rest-client/rest-client/blob/f450a0f086f1cd1049abbef2a2c66166a1a9ba71/lib/restclient/request.rb#L656 + ip_as_uri = URI.parse(ip) + super(ip_as_uri, req, payload, &block) + end + + def net_http_object(hostname, port) + super.tap do |http| + http.hostname_override = hostname_override if hostname_override + end + end + + private + + def dns_rebind_protection? + return false if Gitlab.http_proxy_env? + + Gitlab::CurrentSettings.dns_rebinding_protection_enabled? + end + + def allow_settings_local_requests? + Gitlab::CurrentSettings.allow_local_requests_from_hooks_and_services? + end + end + + prepend UrlBlocker + end +end |