Commit 5c147b6b authored by Nick Thomas's avatar Nick Thomas

Merge branch '3274-geo-route-whitelisting' into 'master'

Geo route whitelisting is too optimistic

Closes gitlab-ee#3274

See merge request gitlab-org/gitlab-ce!15082
parents 506a4e75 2fd5cc2b
---
title: Tighten up whitelisting of certain Geo routes
merge_request: 15082
author:
type: fixed
...@@ -12,6 +12,7 @@ module Gitlab ...@@ -12,6 +12,7 @@ module Gitlab
def call(env) def call(env)
@env = env @env = env
@route_hash = nil
if disallowed_request? && Gitlab::Database.read_only? if disallowed_request? && Gitlab::Database.read_only?
Rails.logger.debug('GitLab ReadOnly: preventing possible non read-only operation') Rails.logger.debug('GitLab ReadOnly: preventing possible non read-only operation')
...@@ -77,11 +78,11 @@ module Gitlab ...@@ -77,11 +78,11 @@ module Gitlab
end end
def grack_route def grack_route
request.path.end_with?('.git/git-upload-pack') route_hash[:controller] == 'projects/git_http' && route_hash[:action] == 'git_upload_pack'
end end
def lfs_route def lfs_route
request.path.end_with?('/info/lfs/objects/batch') route_hash[:controller] == 'projects/lfs_api' && route_hash[:action] == 'batch'
end end
end end
end end
......
...@@ -83,6 +83,13 @@ describe Gitlab::Middleware::ReadOnly do ...@@ -83,6 +83,13 @@ describe Gitlab::Middleware::ReadOnly do
expect(subject).to disallow_request expect(subject).to disallow_request
end end
it 'expects POST of new file that looks like an LFS batch url to be disallowed' do
response = request.post('/root/gitlab-ce/new/master/app/info/lfs/objects/batch')
expect(response).to be_a_redirect
expect(subject).to disallow_request
end
context 'whitelisted requests' do context 'whitelisted requests' do
it 'expects DELETE request to logout to be allowed' do it 'expects DELETE request to logout to be allowed' do
response = request.delete('/users/sign_out') response = request.delete('/users/sign_out')
...@@ -104,6 +111,25 @@ describe Gitlab::Middleware::ReadOnly do ...@@ -104,6 +111,25 @@ describe Gitlab::Middleware::ReadOnly do
expect(response).not_to be_a_redirect expect(response).not_to be_a_redirect
expect(subject).not_to disallow_request expect(subject).not_to disallow_request
end end
it 'expects a POST request to git-upload-pack URL to be allowed' do
response = request.post('/root/rouge.git/git-upload-pack')
expect(response).not_to be_a_redirect
expect(subject).not_to disallow_request
end
it 'expects requests to sidekiq admin to be allowed' do
response = request.post('/admin/sidekiq')
expect(response).not_to be_a_redirect
expect(subject).not_to disallow_request
response = request.get('/admin/sidekiq')
expect(response).not_to be_a_redirect
expect(subject).not_to disallow_request
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment