From e5bdcfbc9b1007332fdaa1d37ce1fac47325850d Mon Sep 17 00:00:00 2001 From: Reuben Pereira Date: Wed, 24 Jul 2019 17:59:38 +0000 Subject: [ADD] outbound requests whitelist Signed-off-by: Istvan szalai --- app/models/application_setting_implementation.rb | 56 +++++++++++++++++++----- 1 file changed, 45 insertions(+), 11 deletions(-) (limited to 'app/models/application_setting_implementation.rb') diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb index df4caed175d..30fc9fd6892 100644 --- a/app/models/application_setting_implementation.rb +++ b/app/models/application_setting_implementation.rb @@ -2,6 +2,7 @@ module ApplicationSettingImplementation extend ActiveSupport::Concern + include Gitlab::Utils::StrongMemoize DOMAIN_LIST_SEPARATOR = %r{\s*[,;]\s* # comma or semicolon, optionally surrounded by whitespace | # or @@ -96,7 +97,8 @@ module ApplicationSettingImplementation diff_max_patch_bytes: Gitlab::Git::Diff::DEFAULT_MAX_PATCH_BYTES, commit_email_hostname: default_commit_email_hostname, protected_ci_variables: false, - local_markdown_version: 0 + local_markdown_version: 0, + outbound_local_requests_whitelist: [] } end @@ -131,31 +133,52 @@ module ApplicationSettingImplementation end def domain_whitelist_raw - self.domain_whitelist&.join("\n") + array_to_string(self.domain_whitelist) end def domain_blacklist_raw - self.domain_blacklist&.join("\n") + array_to_string(self.domain_blacklist) end def domain_whitelist_raw=(values) - self.domain_whitelist = [] - self.domain_whitelist = values.split(DOMAIN_LIST_SEPARATOR) - self.domain_whitelist.reject! { |d| d.empty? } - self.domain_whitelist + self.domain_whitelist = domain_strings_to_array(values) end def domain_blacklist_raw=(values) - self.domain_blacklist = [] - self.domain_blacklist = values.split(DOMAIN_LIST_SEPARATOR) - self.domain_blacklist.reject! { |d| d.empty? } - self.domain_blacklist + self.domain_blacklist = domain_strings_to_array(values) end def domain_blacklist_file=(file) self.domain_blacklist_raw = file.read end + def outbound_local_requests_whitelist_raw + array_to_string(self.outbound_local_requests_whitelist) + end + + def outbound_local_requests_whitelist_raw=(values) + self.outbound_local_requests_whitelist = domain_strings_to_array(values) + end + + def outbound_local_requests_whitelist_arrays + strong_memoize(:outbound_local_requests_whitelist_arrays) do + ip_whitelist = [] + domain_whitelist = [] + + self.outbound_local_requests_whitelist.each do |str| + ip_obj = Gitlab::Utils.string_to_ip_object(str) + + if ip_obj + ip_whitelist << ip_obj + else + domain_whitelist << str + end + end + + [ip_whitelist, domain_whitelist] + end + end + def repository_storages Array(read_attribute(:repository_storages)) end @@ -255,6 +278,17 @@ module ApplicationSettingImplementation private + def array_to_string(arr) + arr&.join("\n") + end + + def domain_strings_to_array(values) + values + .split(DOMAIN_LIST_SEPARATOR) + .reject(&:empty?) + .uniq + end + def ensure_uuid! return if uuid? -- cgit v1.2.1 From 3cefc5d7df09dbc21cd9c892bc6c62b5b583ca6a Mon Sep 17 00:00:00 2001 From: Mayra Cabrera Date: Wed, 24 Jul 2019 19:49:31 +0000 Subject: Add RateLimiter to RawController * Limits raw requests to 300 per minute and per raw path. * Add a new attribute to ApplicationSettings so user can change this value on their instance. * Uses Gitlab::ActionRateLimiter to limit the raw requests. * Add a new method into ActionRateLimiter to log the event into auth.log Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/48717 --- app/models/application_setting_implementation.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'app/models/application_setting_implementation.rb') diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb index 30fc9fd6892..1e612bd0e78 100644 --- a/app/models/application_setting_implementation.rb +++ b/app/models/application_setting_implementation.rb @@ -98,7 +98,8 @@ module ApplicationSettingImplementation commit_email_hostname: default_commit_email_hostname, protected_ci_variables: false, local_markdown_version: 0, - outbound_local_requests_whitelist: [] + outbound_local_requests_whitelist: [], + raw_blob_request_limit: 300 } end -- cgit v1.2.1