From 860785f00757a47e0e3ace973444ba5ad6d9c174 Mon Sep 17 00:00:00 2001
From: DJ Mountney <david@twkie.net>
Date: Mon, 27 Jun 2016 12:43:28 -0700
Subject: Make Rack::Request use our trusted proxies when filtering IP
 addresses

This allows us to control the trusted proxies while deployed in a private network. Normally Rack::Request will trust all private IPs as trusted proxies, which can caue problems if your users are connection on you network via private IP ranges.

Normally in a rails app this is handled by action_dispatch request, but rack_attack is specifically using the Rack::Request object instead.
---
 config/initializers/trusted_proxies.rb | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'config/initializers/trusted_proxies.rb')

diff --git a/config/initializers/trusted_proxies.rb b/config/initializers/trusted_proxies.rb
index d256a16d42b..df4a933e22f 100644
--- a/config/initializers/trusted_proxies.rb
+++ b/config/initializers/trusted_proxies.rb
@@ -1,3 +1,16 @@
+# Override Rack::Request to make use of the same list of trusted_proxies
+# as the ActionDispatch::Request object. This is necessary for libraries
+# like rack_attack where they don't use ActionDispatch, and we want them
+# to block/throttle requests on private networks.
+# Rack Attack specific issue: https://github.com/kickstarter/rack-attack/issues/145 
+module Rack
+  class Request
+    def trusted_proxy?(ip)
+      Rails.application.config.action_dispatch.trusted_proxies.any? { |proxy| proxy === ip }
+    end
+  end
+end
+
 Rails.application.config.action_dispatch.trusted_proxies = (
   [ '127.0.0.1', '::1' ] + Array(Gitlab.config.gitlab.trusted_proxies)
 ).map { |proxy| IPAddr.new(proxy) }
-- 
cgit v1.2.1