diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-01-06 19:33:09 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-01-06 19:33:09 +0000 |
commit | 7a8a489be482e9e3cb925ce3ef4a6d18ff17910e (patch) | |
tree | cd3197d54f818e5b3c52036aa5e269123eb6f021 /workhorse/internal | |
parent | fa70ce1068babe592d348497c772f1b5160cbb6e (diff) | |
download | gitlab-ce-7a8a489be482e9e3cb925ce3ef4a6d18ff17910e.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-7-stable-ee
Diffstat (limited to 'workhorse/internal')
-rw-r--r-- | workhorse/internal/rejectmethods/middleware.go | 38 | ||||
-rw-r--r-- | workhorse/internal/rejectmethods/middleware_test.go | 43 | ||||
-rw-r--r-- | workhorse/internal/upstream/upstream.go | 3 |
3 files changed, 84 insertions, 0 deletions
diff --git a/workhorse/internal/rejectmethods/middleware.go b/workhorse/internal/rejectmethods/middleware.go new file mode 100644 index 00000000000..171463979d5 --- /dev/null +++ b/workhorse/internal/rejectmethods/middleware.go @@ -0,0 +1,38 @@ +package rejectmethods + +import ( + "net/http" + + "github.com/prometheus/client_golang/prometheus" +) + +var acceptedMethods = map[string]bool{ + http.MethodGet: true, + http.MethodHead: true, + http.MethodPost: true, + http.MethodPut: true, + http.MethodPatch: true, + http.MethodDelete: true, + http.MethodConnect: true, + http.MethodOptions: true, + http.MethodTrace: true, +} + +var rejectedRequestsCount = prometheus.NewCounter( + prometheus.CounterOpts{ + Name: "gitlab_workhorse_unknown_method_rejected_requests", + Help: "The number of requests with unknown HTTP method which were rejected", + }, +) + +// NewMiddleware returns middleware which rejects all unknown http methods +func NewMiddleware(handler http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if acceptedMethods[r.Method] { + handler.ServeHTTP(w, r) + } else { + rejectedRequestsCount.Inc() + http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed) + } + }) +} diff --git a/workhorse/internal/rejectmethods/middleware_test.go b/workhorse/internal/rejectmethods/middleware_test.go new file mode 100644 index 00000000000..2921975aeef --- /dev/null +++ b/workhorse/internal/rejectmethods/middleware_test.go @@ -0,0 +1,43 @@ +package rejectmethods + +import ( + "io" + "net/http" + "net/http/httptest" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestNewMiddleware(t *testing.T) { + handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + io.WriteString(w, "OK\n") + }) + + middleware := NewMiddleware(handler) + + acceptedMethods := []string{"GET", "HEAD", "POST", "PUT", "PATCH", "CONNECT", "OPTIONS", "TRACE"} + for _, method := range acceptedMethods { + t.Run(method, func(t *testing.T) { + tmpRequest, _ := http.NewRequest(method, "/", nil) + recorder := httptest.NewRecorder() + + middleware.ServeHTTP(recorder, tmpRequest) + + result := recorder.Result() + + require.Equal(t, http.StatusOK, result.StatusCode) + }) + } + + t.Run("UNKNOWN", func(t *testing.T) { + tmpRequest, _ := http.NewRequest("UNKNOWN", "/", nil) + recorder := httptest.NewRecorder() + + middleware.ServeHTTP(recorder, tmpRequest) + + result := recorder.Result() + + require.Equal(t, http.StatusMethodNotAllowed, result.StatusCode) + }) +} diff --git a/workhorse/internal/upstream/upstream.go b/workhorse/internal/upstream/upstream.go index fd3f6191a5a..c81a21c0ecd 100644 --- a/workhorse/internal/upstream/upstream.go +++ b/workhorse/internal/upstream/upstream.go @@ -17,6 +17,7 @@ import ( "gitlab.com/gitlab-org/gitlab-workhorse/internal/config" "gitlab.com/gitlab-org/gitlab-workhorse/internal/helper" + "gitlab.com/gitlab-org/gitlab-workhorse/internal/rejectmethods" "gitlab.com/gitlab-org/gitlab-workhorse/internal/upload" "gitlab.com/gitlab-org/gitlab-workhorse/internal/upstream/roundtripper" "gitlab.com/gitlab-org/gitlab-workhorse/internal/urlprefix" @@ -63,6 +64,8 @@ func NewUpstream(cfg config.Config, accessLogger *logrus.Logger) http.Handler { } handler := correlation.InjectCorrelationID(&up, correlationOpts...) + // TODO: move to LabKit https://gitlab.com/gitlab-org/gitlab-workhorse/-/issues/339 + handler = rejectmethods.NewMiddleware(handler) return handler } |