HTTP connection adapter with proxy settings

This updates the HTTPConnectionAdapter to prevent any SSRF protection bypass when using the proxy settings.

HTTP connection adapter with proxy settings
This updates the HTTPConnectionAdapter to prevent any SSRF protection bypass when using the proxy settings.
b067dc7f · Arturo Herrero · Bob Van Landuyt · de3c64af · b067dc7f · b067dc7f
Commit b067dc7f authored Mar 09, 2021 by Arturo Herrero Committed by Bob Van Landuyt Mar 09, 2021
Showing with 204 additions and 58 deletions

lib/gitlab/http_connection_adapter.rb lib/gitlab/http_connection_adapter.rb +25 -6

spec/lib/gitlab/http_connection_adapter_spec.rb spec/lib/gitlab/http_connection_adapter_spec.rb +179 -52

No files found.
--- a/lib/gitlab/http_connection_adapter.rb
+++ b/lib/gitlab/http_connection_adapter.rb
@@ -11,13 +11,18 @@
 # This option will take precedence over the global setting.
 module Gitlab
  class HTTPConnectionAdapter < HTTParty::ConnectionAdapter
+    extend ::Gitlab::Utils::Override
+    override :connection
    def connection
-      begin
+      @uri, hostname = validate_url!(uri)
-        @uri, hostname = Gitlab::UrlBlocker.validate!(uri, allow_local_network: allow_local_requests?,
-                                                           allow_localhost: allow_local_requests?,
+      if options.key?(:http_proxyaddr)
-                                                           dns_rebind_protection: dns_rebind_protection?)
+        proxy_uri_with_port = uri_with_port(options[:http_proxyaddr], options[:http_proxyport])
-      rescue Gitlab::UrlBlocker::BlockedUrlError => e
+        proxy_uri_validated = validate_url!(proxy_uri_with_port).first
-        raise Gitlab::HTTP::BlockedUrlError, "URL '#{uri}' is blocked: #{e.message}"
+        @options[:http_proxyaddr] = proxy_uri_validated.omit(:port).to_s
+        @options[:http_proxyport] = proxy_uri_validated.port
      end
      super.tap do |http|
@@ -27,6 +32,14 @@ module Gitlab
    private
+    def validate_url!(url)
+      Gitlab::UrlBlocker.validate!(url, allow_local_network: allow_local_requests?,
+                                        allow_localhost: allow_local_requests?,
+                                        dns_rebind_protection: dns_rebind_protection?)
+    rescue Gitlab::UrlBlocker::BlockedUrlError => e
+      raise Gitlab::HTTP::BlockedUrlError, "URL '#{url}' is blocked: #{e.message}"
+    end
    def allow_local_requests?
      options.fetch(:allow_local_requests, allow_settings_local_requests?)
    end
@@ -40,5 +53,11 @@ module Gitlab
    def allow_settings_local_requests?
      Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?
    end
+    def uri_with_port(address, port)
+      uri = Addressable::URI.parse(address)
+      uri.port = port if port.present?
+      uri
+    end
  end
 end
--- a/spec/lib/gitlab/http_connection_adapter_spec.rb
+++ b/spec/lib/gitlab/http_connection_adapter_spec.rb