diff options
| author | Douwe Maan <douwe@gitlab.com> | 2016-06-30 15:37:16 +0000 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2016-06-30 15:37:16 +0000 |
| commit | 8a245b80a54f5c26d17eca8287ee6bd82d6f17b1 (patch) | |
| tree | e947e6535d74750eb1a2abc262a0bd9f3c5bc581 /spec/initializers | |
| parent | f991b7fce602e26abeee9c99ad58cfa9d710b170 (diff) | |
| parent | 860785f00757a47e0e3ace973444ba5ad6d9c174 (diff) | |
| download | gitlab-ce-8a245b80a54f5c26d17eca8287ee6bd82d6f17b1.tar.gz | |
Merge branch 'rack-request-trusted-proxies' into 'master'
Make Rack::Request use our trusted proxies when filtering IP addresses
## What does this MR do?
This allows us to control the trusted proxies while deployed in a private network.
## Are there points in the code the reviewer needs to double check?
If we want to limit what is impacted, we can do this specifically for the rack_attack request object.
## Why was this MR needed?
Normally Rack::Request will trust all private IPs as trusted proxies, which can cause problems if your users are connection on you network via private IP ranges.
Normally in a rails app this is handled by action_dispatch request, but rack_attack is specifically using the Rack::Request object instead.
## What are the relevant issue numbers?
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17550
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] ~~[Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)~~
- [ ] ~~API support added~~
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [ ] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [ ] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
\cc @stanhu
See merge request !4958
Diffstat (limited to 'spec/initializers')
| -rw-r--r-- | spec/initializers/trusted_proxies_spec.rb | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/spec/initializers/trusted_proxies_spec.rb b/spec/initializers/trusted_proxies_spec.rb index 4bb149f25ff..14c8df954a6 100644 --- a/spec/initializers/trusted_proxies_spec.rb +++ b/spec/initializers/trusted_proxies_spec.rb @@ -6,14 +6,16 @@ describe 'trusted_proxies', lib: true do set_trusted_proxies([]) end - it 'preserves private IPs as remote_ip' do + it 'preserves private IPs' do request = stub_request('HTTP_X_FORWARDED_FOR' => '10.1.5.89') expect(request.remote_ip).to eq('10.1.5.89') + expect(request.ip).to eq('10.1.5.89') end - it 'filters out localhost from remote_ip' do + it 'filters out localhost' do request = stub_request('HTTP_X_FORWARDED_FOR' => '1.1.1.1, 10.1.5.89, 127.0.0.1') expect(request.remote_ip).to eq('10.1.5.89') + expect(request.ip).to eq('10.1.5.89') end end @@ -22,9 +24,10 @@ describe 'trusted_proxies', lib: true do set_trusted_proxies([ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ]) end - it 'filters out private and local IPs from remote_ip' do + it 'filters out private and local IPs' do request = stub_request('HTTP_X_FORWARDED_FOR' => '1.2.3.6, 1.1.1.1, 10.1.5.89, 127.0.0.1') expect(request.remote_ip).to eq('1.1.1.1') + expect(request.ip).to eq('1.1.1.1') end end @@ -33,9 +36,10 @@ describe 'trusted_proxies', lib: true do set_trusted_proxies([ "60.98.25.47" ]) end - it 'filters out proxy IP from remote_ip' do + it 'filters out proxy IP' do request = stub_request('HTTP_X_FORWARDED_FOR' => '1.2.3.6, 1.1.1.1, 60.98.25.47, 127.0.0.1') expect(request.remote_ip).to eq('1.1.1.1') + expect(request.ip).to eq('1.1.1.1') end end |