diff options
Diffstat (limited to 'lib/gitlab/middleware/read_only/controller.rb')
| -rw-r--r-- | lib/gitlab/middleware/read_only/controller.rb | 39 |
1 files changed, 18 insertions, 21 deletions
diff --git a/lib/gitlab/middleware/read_only/controller.rb b/lib/gitlab/middleware/read_only/controller.rb index cfea4aaddf3..101172cdfcc 100644 --- a/lib/gitlab/middleware/read_only/controller.rb +++ b/lib/gitlab/middleware/read_only/controller.rb @@ -9,20 +9,19 @@ module Gitlab APPLICATION_JSON_TYPES = %W{#{APPLICATION_JSON} application/vnd.git-lfs+json}.freeze ERROR_MESSAGE = 'You cannot perform write operations on a read-only instance' - WHITELISTED_GIT_ROUTES = { - 'repositories/git_http' => %w{git_upload_pack git_receive_pack} + ALLOWLISTED_GIT_ROUTES = { + 'repositories/git_http' => %w{git_upload_pack} }.freeze - WHITELISTED_GIT_LFS_ROUTES = { - 'repositories/lfs_api' => %w{batch}, - 'repositories/lfs_locks_api' => %w{verify create unlock} + ALLOWLISTED_GIT_LFS_BATCH_ROUTES = { + 'repositories/lfs_api' => %w{batch} }.freeze - WHITELISTED_GIT_REVISION_ROUTES = { + ALLOWLISTED_GIT_REVISION_ROUTES = { 'projects/compare' => %w{create} }.freeze - WHITELISTED_SESSION_ROUTES = { + ALLOWLISTED_SESSION_ROUTES = { 'sessions' => %w{destroy}, 'admin/sessions' => %w{create destroy} }.freeze @@ -55,7 +54,7 @@ module Gitlab def disallowed_request? DISALLOWED_METHODS.include?(@env['REQUEST_METHOD']) && - !whitelisted_routes + !allowlisted_routes end def json_request? @@ -87,8 +86,8 @@ module Gitlab end # Overridden in EE module - def whitelisted_routes - workhorse_passthrough_route? || internal_route? || lfs_route? || compare_git_revisions_route? || sidekiq_route? || session_route? || graphql_query? + def allowlisted_routes + workhorse_passthrough_route? || internal_route? || lfs_batch_route? || compare_git_revisions_route? || sidekiq_route? || session_route? || graphql_query? end # URL for requests passed through gitlab-workhorse to rails-web @@ -96,9 +95,9 @@ module Gitlab def workhorse_passthrough_route? # Calling route_hash may be expensive. Only do it if we think there's a possible match return false unless request.post? && - request.path.end_with?('.git/git-upload-pack', '.git/git-receive-pack') + request.path.end_with?('.git/git-upload-pack') - WHITELISTED_GIT_ROUTES[route_hash[:controller]]&.include?(route_hash[:action]) + ALLOWLISTED_GIT_ROUTES[route_hash[:controller]]&.include?(route_hash[:action]) end def internal_route? @@ -109,18 +108,16 @@ module Gitlab # Calling route_hash may be expensive. Only do it if we think there's a possible match return false unless request.post? && request.path.end_with?('compare') - WHITELISTED_GIT_REVISION_ROUTES[route_hash[:controller]]&.include?(route_hash[:action]) + ALLOWLISTED_GIT_REVISION_ROUTES[route_hash[:controller]]&.include?(route_hash[:action]) end - def lfs_route? + # Batch upload requests are blocked in: + # https://gitlab.com/gitlab-org/gitlab/blob/master/app/controllers/repositories/lfs_api_controller.rb#L106 + def lfs_batch_route? # Calling route_hash may be expensive. Only do it if we think there's a possible match - unless request.path.end_with?('/info/lfs/objects/batch', - '/info/lfs/locks', '/info/lfs/locks/verify') || - %r{/info/lfs/locks/\d+/unlock\z}.match?(request.path) - return false - end + return unless request.path.end_with?('/info/lfs/objects/batch') - WHITELISTED_GIT_LFS_ROUTES[route_hash[:controller]]&.include?(route_hash[:action]) + ALLOWLISTED_GIT_LFS_BATCH_ROUTES[route_hash[:controller]]&.include?(route_hash[:action]) end def session_route? @@ -128,7 +125,7 @@ module Gitlab return false unless request.post? && request.path.end_with?('/users/sign_out', '/admin/session', '/admin/session/destroy') - WHITELISTED_SESSION_ROUTES[route_hash[:controller]]&.include?(route_hash[:action]) + ALLOWLISTED_SESSION_ROUTES[route_hash[:controller]]&.include?(route_hash[:action]) end def sidekiq_route? |