Make Rack::Request use our trusted proxies when filtering IP addressesrack-request-trusted-proxies

This allows us to control the trusted proxies while deployed in a private network. Normally Rack::Request will trust all private IPs as trusted proxies, which can caue problems if your users are connection on you network via private IP ranges.

Normally in a rails app this is handled by action_dispatch request, but rack_attack is specifically using the Rack::Request object instead.

1 files changed, 13 insertions, 0 deletions

diff --git a/config/initializers/trusted_proxies.rb b/config/initializers/trusted_proxies.rb
index d256a16d42b..df4a933e22f 100644
--- a/config/initializers/trusted_proxies.rb
+++ b/config/initializers/trusted_proxies.rb
@@ -1,3 +1,16 @@
+# Override Rack::Request to make use of the same list of trusted_proxies
+# as the ActionDispatch::Request object. This is necessary for libraries
+# like rack_attack where they don't use ActionDispatch, and we want them
+# to block/throttle requests on private networks.
+# Rack Attack specific issue: https://github.com/kickstarter/rack-attack/issues/145 
+module Rack
+  class Request
+    def trusted_proxy?(ip)
+      Rails.application.config.action_dispatch.trusted_proxies.any? { |proxy| proxy === ip }
+    end
+  end
+end
+
 Rails.application.config.action_dispatch.trusted_proxies = (
   [ '127.0.0.1', '::1' ] + Array(Gitlab.config.gitlab.trusted_proxies)
 ).map { |proxy| IPAddr.new(proxy) }