diff options
| author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-06-03 14:56:33 +0200 |
|---|---|---|
| committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-06-03 14:56:33 +0200 |
| commit | 6cb750a2bb7e1720413a7c42ec4afebaa3f2f4d2 (patch) | |
| tree | 2f94f96a1fcb0c692f8e94e924a733d4bad9a59b /config | |
| parent | 51a66a581f4d0662d04c432aa4b014dd4b634fc9 (diff) | |
| parent | 3dcf3cfde35d1506c7196634080849d002251a41 (diff) | |
| download | gitlab-ce-6cb750a2bb7e1720413a7c42ec4afebaa3f2f4d2.tar.gz | |
Merge dev.gitlab.org master into GitLab.com master
Diffstat (limited to 'config')
| -rw-r--r-- | config/initializers/hipchat_client_patch.rb | 6 | ||||
| -rw-r--r-- | config/initializers/http_hostname_override.rb | 49 |
2 files changed, 52 insertions, 3 deletions
diff --git a/config/initializers/hipchat_client_patch.rb b/config/initializers/hipchat_client_patch.rb index 1879ecb15fb..51bd48af320 100644 --- a/config/initializers/hipchat_client_patch.rb +++ b/config/initializers/hipchat_client_patch.rb @@ -2,14 +2,14 @@ # This monkey patches the HTTParty used in https://github.com/hipchat/hipchat-rb. module HipChat class Client - connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter + connection_adapter ::Gitlab::HTTPConnectionAdapter end class Room - connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter + connection_adapter ::Gitlab::HTTPConnectionAdapter end class User - connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter + connection_adapter ::Gitlab::HTTPConnectionAdapter end end diff --git a/config/initializers/http_hostname_override.rb b/config/initializers/http_hostname_override.rb new file mode 100644 index 00000000000..58dd380326f --- /dev/null +++ b/config/initializers/http_hostname_override.rb @@ -0,0 +1,49 @@ +# This override allows passing `@hostname_override` to the SNI protocol, +# which is used to lookup the correct SSL certificate in the +# request handshake process. +# +# Given we've forced the HTTP request to be sent to the resolved +# IP address in a few scenarios (e.g.: `Gitlab::HTTP` through +# `Gitlab::UrlBlocker.validate!`), we need to provide the _original_ +# hostname via SNI in order to have a clean connection setup. +# +# This is ultimately needed in order to avoid DNS rebinding attacks +# through HTTP requests. +# +class OpenSSL::SSL::SSLContext + attr_accessor :hostname_override +end + +class OpenSSL::SSL::SSLSocket + module HostnameOverride + # rubocop: disable Gitlab/ModuleWithInstanceVariables + def hostname=(hostname) + super(@context.hostname_override || hostname) + end + + def post_connection_check(hostname) + super(@context.hostname_override || hostname) + end + # rubocop: enable Gitlab/ModuleWithInstanceVariables + end + + prepend HostnameOverride +end + +class Net::HTTP + attr_accessor :hostname_override + SSL_IVNAMES << :@hostname_override + SSL_ATTRIBUTES << :hostname_override + + module HostnameOverride + def addr_port + return super unless hostname_override + + addr = hostname_override + default_port = use_ssl? ? Net::HTTP.https_default_port : Net::HTTP.http_default_port + default_port == port ? addr : "#{addr}:#{port}" + end + end + + prepend HostnameOverride +end |