Commits · 9ba2dfbeb1e21540e9350859eec6823e73700468 · nexedi / gitlab-ce

17 Mar, 2022 1 commit

Block limited broadcast address (255.255.255.255) in UrlBlocker · 9ba2dfbe

nmalcolm authored Mar 15, 2022

`UrlBlocker` protects GitLab and its users from attacks such as
Server Side Request Forgery and DNS Rebind attacks.

Until now, setting `allow_local_network` had no effect on blocking
`255.255.255.255`, whether true or false. Now, when
`allow_local_network` is set to `false` `255.255.255.255` is
blocked through the introduction of a check named
`validate_limited_broadcast_address`.

`255.255.255.255` is the "limited broadcast address", which is used to
make requests to all hosts on a local physical network [1]. Properly
configured routers won't route it. Historically it was used to wake up
offline PCs on a LAN which, since they were asleep, didn't have IP
addresses [2].

While `UrlBlocker` defaults `allow_local_network` to `true`, in
practice it is almost always `false` because of a convention to
use the GitLab configuration option which defaults to `false`.
If a GitLab administrator still wants to  reach `255.255.255.255`,
it can be added explicitly in the Allow List [3].

There is no reason a GitLab user would want to reach this, but it
could potentially be misused if an attacker finds a component
vulnerable to DNS rebinding, for example.

This commit aims to fulfil https://gitlab.com/gitlab-org/gitlab/-/issues/337796

[1]: https://datatracker.ietf.org/doc/html/rfc919#section-7
[2]: https://superuser.com/a/1006951
[3]: https://docs.gitlab.com/ee/security/webhooks.html#allowlist-for-local-requests

Changelog: changed

9ba2dfbe

09 Mar, 2022 17 commits
- Merge branch 'update-group-path-instructions' into 'master' · 4c3e65b0
  Evan Read authored Mar 09, 2022
```
Update Change Group's Path instructions to match with UI

See merge request gitlab-org/gitlab!82403
```
  4c3e65b0
- Merge branch '344264-drop-old-index-for-security-builds' into 'master' · 2066ff90
  Krasimir Angelov authored Mar 09, 2022
```
Drop old index for security ci builds on name and id parser

See merge request gitlab-org/gitlab!82354
```
  2066ff90
- Merge branch 'feature/fetch_git_stream_event' into 'master' · 2d435369
  Max Woolf authored Mar 09, 2022
```
Add git audit streaming events

See merge request gitlab-org/gitlab!76719
```
  2d435369
- Add git audit streaming event unit test · 2ee92d19
  Baodong authored Mar 09, 2022
```
When user download source code on GUI.
```
  2ee92d19
- Merge branch '353513-frontmatter-sourcepos' into 'master' · 0e8352a5
  Heinrich Lee Yu authored Mar 09, 2022
```
Fix source position mapping in markdown with frontmatter

See merge request gitlab-org/gitlab!81470
```
  0e8352a5
- Merge branch... · 718eb85d
  Ezekiel Kigbo authored Mar 09, 2022
```
Merge branch '344108-replace-browser-confirm-modal-with-glmodal-in-app-assets-javascripts-environments-components-2' into 'master'

Replace window.confirm with GlModal in environment actions

See merge request gitlab-org/gitlab!80425
```
  718eb85d
- Merge branch 'rz-fix-prometheus-page-warning' into 'master' · 7d3cae74
  Michael Kozono authored Mar 09, 2022
```
Fix variable in _prometheus.html.haml so it shows as a code block

See merge request gitlab-org/gitlab!82395
```
  7d3cae74
- Merge branch 'wc-gitaly-profiling' into 'master' · 74633ff9
  Evan Read authored Mar 09, 2022
```
docs: Gitaly profiling instructions

See merge request gitlab-org/gitlab!82343
```
  74633ff9
- docs: Gitaly profiling instructions · 309b97d5
  Will Chandler authored Mar 09, 2022
```
Add notes to public docs on how to profile Gitaly. Currently this is
only in our SRE runbooks.
```
  309b97d5
- Merge branch 'qa-shl-de-duplicate-already-marked-for-deletion-check' into 'master' · bca8186f
  Chloe Liu authored Mar 09, 2022
```
De-duplicate already marked for deletion check

See merge request gitlab-org/gitlab!82173
```
  bca8186f
- Merge branch 'bbodenmiller-master-patch-79013' into 'master' · 9799ed43
  Evan Read authored Mar 09, 2022
```
List comparison to group access tokens in personal tokens

See merge request gitlab-org/gitlab!82227
```
  9799ed43
- Merge branch '322434-requires-python-optional' into 'master' · 82d38aae
  Mayra Cabrera authored Mar 09, 2022
```
Param requires_python is optional for pypi

See merge request gitlab-org/gitlab!81946
```
  82d38aae
- Param requires_python is optional for pypi · 22a7e20d
  Steve Abrams authored Mar 09, 2022
```
Make the requires_python optional for the pypi
upload endpoint to conform with pypi standards.

Changelog: fixed
```
  22a7e20d
- Merge branch 'fix-semi-linear-merge-description' into 'master' · dc75204b
  Ezekiel Kigbo authored Mar 09, 2022
```
Project settings: fix semi-linear merge description

See merge request gitlab-org/gitlab!82261
```
  dc75204b
- Merge branch 'shinya.maeda-master-patch-06787' into 'master' · 7f7ca69c
  Russell Dickenson authored Mar 09, 2022
```
Remove Legacy Feature Flag instructions

See merge request gitlab-org/gitlab!82294
```
  7f7ca69c
- Remove Legacy Feature Flag instructions · 73058ad4
  Shinya Maeda authored Mar 09, 2022
  
  73058ad4
- Merge branch 'docs/Alexand-fix-agent-defaul-namespace' into 'master' · 3a31150d
  Suzanne Selhorn authored Mar 09, 2022
```
Fix the Agent default namespace in docs

See merge request gitlab-org/gitlab!82413
```
  3a31150d
08 Mar, 2022 22 commits
- Merge branch 'shl-log-on-successful-license-creation' into 'master' · d7793c0e
  Anastasia McDonald authored Mar 08, 2022
```
E2E: Log successful adding of license key

See merge request gitlab-org/gitlab!82302
```
  d7793c0e
- E2E: Log successful adding of license key · 0749a4db
  Sanad Liaquat authored Mar 08, 2022
  
  0749a4db
- Merge branch 'add_kube_ingress_baes_domain_to_autodevops_qa_test' into 'master' · 0cc6a229
  Dan Davison authored Mar 08, 2022
```
Set KUBE_INGRESS_BASE_DOMAIN for Auto DevOps QA test

See merge request gitlab-org/gitlab!82214
```
  0cc6a229
- Ensure that the spaces between frontmatter are kept · aa1c697b
  Thomas Chandelle authored Feb 23, 2022
```
This allows the source-position data to be accurate

Changelog: fixed
```
  aa1c697b
- Merge branch 'mc_rocha-consider-non-default-config-file-for-security-ui-351856' into 'master' · 54e023cf
  Mayra Cabrera authored Mar 08, 2022
```
Consider non-default config files for Security UI

See merge request gitlab-org/gitlab!81027
```
  54e023cf
- Consider non-default config files for Security UI · 9a74d9ba
  Marcos Rocha authored Mar 08, 2022
```
Updates create service to use the ci_config_file instead of the default

Changelog: changed
MR:
```
  9a74d9ba
- Merge branch 'qmnguyen0711/remove-mirroring-scheduling-tracker' into 'master' · e0f5dc24
  Sean McGivern authored Mar 08, 2022
```
Remove mirror_scheduling_tracker and ProjectImporScheduleWorker's needs_own_queue tag

See merge request gitlab-org/gitlab!81960
```
  e0f5dc24
- Merge branch 'group-token-name-visibility' into 'master' · 55cad6a2
  Douglas Barbosa Alexandre authored Mar 08, 2022
```
Fix group bot token name in REST API and GraphQL

See merge request gitlab-org/gitlab!81843
```
  55cad6a2
- Merge branch 'promote-k8s-agent-test' into 'master' · 3342d32b
  Chloe Liu authored Mar 08, 2022
```
Promote test to reliable

See merge request gitlab-org/gitlab!82311
```
  3342d32b
- Merge branch 'fix-markdown-sourcemap-bug' into 'master' · bf69be91
  Paul Slaughter authored Mar 08, 2022
```
Fix pasting HTML tables in the Content Editor

See merge request gitlab-org/gitlab!82040
```
  bf69be91
- Fix sourcemap recovery error in Content Editor · 2e46ff7f
  Enrique Alcántara authored Mar 08, 2022
```
- https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82040

Changelog: fixed
```
  2e46ff7f
- Merge branch 'kpaizee-azure-ctrt-edits-2' into 'master' · cab373d3
  Suzanne Selhorn authored Mar 08, 2022
```
CTRT edits for Azure page - part 2

See merge request gitlab-org/gitlab!82388
```
  cab373d3
- CTRT edits for Azure page - part 2 · 8a272fad
  Kati Paizee authored Mar 08, 2022
  
  8a272fad
- Merge branch 'add-refs' into 'master' · 9f8f21dd
  Bob Van Landuyt authored Mar 08, 2022
```
Include merge-requests in RESERVED_REFS_NAMES

See merge request gitlab-org/gitlab!82326
```
  9f8f21dd
- Merge branch 'updates-ipynb-version' into 'master' · 978a8612
  Ethan Urie authored Mar 08, 2022
```
Upgrades ipynbdiff to 0.4.4

See merge request gitlab-org/gitlab!82323
```
  978a8612
- Merge branch 'caw-improve-captcha-modal-comment' into 'master' · 68603033
  Enrique Alcántara authored Mar 08, 2022
```
Clarify comment related to CAPTCHA modal

See merge request gitlab-org/gitlab!82363
```
  68603033
- Apply maintainer suggestions · 17b99900
  Serena Fang authored Mar 08, 2022
  
  17b99900
- Apply reviewer suggestions · 803ca4b8
  Serena Fang authored Mar 07, 2022
  
  803ca4b8
- Move secure name method to HasUserType · 1edd7c71
  Serena Fang authored Mar 03, 2022
```
Move from UsersHelper to HasUserType
```
  1edd7c71
- Apply reviewer suggestions · 79611ed1
  Serena Fang authored Mar 01, 2022
  
  79611ed1
- Remove unneeded changes · de35bb22
  Serena Fang authored Feb 28, 2022
```
Remove uneeded changes
```
  de35bb22
- Add specs for group token name · 14b4120f
  Serena Fang authored Feb 28, 2022
```
Add specs to user_spec and user_type_spec
```
  14b4120f