summaryrefslogtreecommitdiff
path: root/config
diff options
context:
space:
mode:
authorThong Kuah <tkuah@gitlab.com>2018-10-26 23:53:40 +1300
committerMayra Cabrera <mcabrera@gitlab.com>2018-10-26 09:47:00 -0500
commit6eb3fc69f6a1f705b6f366dc14d306e1409ee721 (patch)
treef86030a7c9383ba581f456a3797db8e7814eeb4b /config
parent160ed1d7a1d56135427dfa68980f9653e41bd907 (diff)
downloadgitlab-ce-6eb3fc69f6a1f705b6f366dc14d306e1409ee721.tar.gz
Monkey kubeclient to not follow any redirects.
This should prevent any malicious server from responding with a location that will redirect us and expose internal services, as kubeclient's rest-client will no longer follow redirects.
Diffstat (limited to 'config')
-rw-r--r--config/initializers/kubeclient.rb21
1 files changed, 21 insertions, 0 deletions
diff --git a/config/initializers/kubeclient.rb b/config/initializers/kubeclient.rb
index 7f115268b37..2d9f439fdc0 100644
--- a/config/initializers/kubeclient.rb
+++ b/config/initializers/kubeclient.rb
@@ -13,4 +13,25 @@ class Kubeclient::Client
ns_prefix = build_namespace_prefix(namespace)
rest_client["#{ns_prefix}#{entity_name_plural}/#{name}:#{port}/proxy"].url
end
+
+ # Monkey patch to set `max_redirects: 0`, so that kubeclient
+ # does not follow redirects and expose internal services.
+ # See https://gitlab.com/gitlab-org/gitlab-ce/issues/53158
+ def create_rest_client(path = nil)
+ path ||= @api_endpoint.path
+ options = {
+ ssl_ca_file: @ssl_options[:ca_file],
+ ssl_cert_store: @ssl_options[:cert_store],
+ verify_ssl: @ssl_options[:verify_ssl],
+ ssl_client_cert: @ssl_options[:client_cert],
+ ssl_client_key: @ssl_options[:client_key],
+ proxy: @http_proxy_uri,
+ user: @auth_options[:username],
+ password: @auth_options[:password],
+ open_timeout: @timeouts[:open],
+ read_timeout: @timeouts[:read],
+ max_redirects: 0
+ }
+ RestClient::Resource.new(@api_endpoint.merge(path).to_s, options)
+ end
end