mirror of https://github.com/go-gitea/gitea
Use `hostmatcher` to replace `matchlist`, improve security (#17605)
Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.pull/17737/head
parent
c96be0cd98
commit
013fb73068
@ -0,0 +1,58 @@ |
||||
// Copyright 2021 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package hostmatcher |
||||
|
||||
import ( |
||||
"context" |
||||
"fmt" |
||||
"net" |
||||
"syscall" |
||||
"time" |
||||
) |
||||
|
||||
// NewDialContext returns a DialContext for Transport, the DialContext will do allow/block list check
|
||||
func NewDialContext(usage string, allowList *HostMatchList, blockList *HostMatchList) func(ctx context.Context, network, addr string) (net.Conn, error) { |
||||
// How Go HTTP Client works with redirection:
|
||||
// transport.RoundTrip URL=http://domain.com, Host=domain.com
|
||||
// transport.DialContext addrOrHost=domain.com:80
|
||||
// dialer.Control tcp4:11.22.33.44:80
|
||||
// transport.RoundTrip URL=http://www.domain.com/, Host=(empty here, in the direction, HTTP client doesn't fill the Host field)
|
||||
// transport.DialContext addrOrHost=domain.com:80
|
||||
// dialer.Control tcp4:11.22.33.44:80
|
||||
return func(ctx context.Context, network, addrOrHost string) (net.Conn, error) { |
||||
dialer := net.Dialer{ |
||||
// default values comes from http.DefaultTransport
|
||||
Timeout: 30 * time.Second, |
||||
KeepAlive: 30 * time.Second, |
||||
|
||||
Control: func(network, ipAddr string, c syscall.RawConn) (err error) { |
||||
var host string |
||||
if host, _, err = net.SplitHostPort(addrOrHost); err != nil { |
||||
return err |
||||
} |
||||
// in Control func, the addr was already resolved to IP:PORT format, there is no cost to do ResolveTCPAddr here
|
||||
tcpAddr, err := net.ResolveTCPAddr(network, ipAddr) |
||||
if err != nil { |
||||
return fmt.Errorf("%s can only call HTTP servers via TCP, deny '%s(%s:%s)', err=%v", usage, host, network, ipAddr, err) |
||||
} |
||||
|
||||
var blockedError error |
||||
if blockList.MatchHostOrIP(host, tcpAddr.IP) { |
||||
blockedError = fmt.Errorf("%s can not call blocked HTTP servers (check your %s setting), deny '%s(%s)'", usage, blockList.SettingKeyHint, host, ipAddr) |
||||
} |
||||
|
||||
// if we have an allow-list, check the allow-list first
|
||||
if !allowList.IsEmpty() { |
||||
if !allowList.MatchHostOrIP(host, tcpAddr.IP) { |
||||
return fmt.Errorf("%s can only call allowed HTTP servers (check your %s setting), deny '%s(%s)'", usage, allowList.SettingKeyHint, host, ipAddr) |
||||
} |
||||
} |
||||
// otherwise, we always follow the blocked list
|
||||
return blockedError |
||||
}, |
||||
} |
||||
return dialer.DialContext(ctx, network, addrOrHost) |
||||
} |
||||
} |
@ -1,46 +0,0 @@ |
||||
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package matchlist |
||||
|
||||
import ( |
||||
"strings" |
||||
|
||||
"github.com/gobwas/glob" |
||||
) |
||||
|
||||
// Matchlist represents a block or allow list
|
||||
type Matchlist struct { |
||||
ruleGlobs []glob.Glob |
||||
} |
||||
|
||||
// NewMatchlist creates a new block or allow list
|
||||
func NewMatchlist(rules ...string) (*Matchlist, error) { |
||||
for i := range rules { |
||||
rules[i] = strings.ToLower(rules[i]) |
||||
} |
||||
list := Matchlist{ |
||||
ruleGlobs: make([]glob.Glob, 0, len(rules)), |
||||
} |
||||
|
||||
for _, rule := range rules { |
||||
rg, err := glob.Compile(rule) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
list.ruleGlobs = append(list.ruleGlobs, rg) |
||||
} |
||||
|
||||
return &list, nil |
||||
} |
||||
|
||||
// Match will matches
|
||||
func (b *Matchlist) Match(u string) bool { |
||||
for _, r := range b.ruleGlobs { |
||||
if r.Match(u) { |
||||
return true |
||||
} |
||||
} |
||||
return false |
||||
} |
@ -0,0 +1,30 @@ |
||||
// Copyright 2021 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package migrations |
||||
|
||||
import ( |
||||
"crypto/tls" |
||||
"net/http" |
||||
|
||||
"code.gitea.io/gitea/modules/hostmatcher" |
||||
"code.gitea.io/gitea/modules/proxy" |
||||
"code.gitea.io/gitea/modules/setting" |
||||
) |
||||
|
||||
// NewMigrationHTTPClient returns a HTTP client for migration
|
||||
func NewMigrationHTTPClient() *http.Client { |
||||
return &http.Client{ |
||||
Transport: NewMigrationHTTPTransport(), |
||||
} |
||||
} |
||||
|
||||
// NewMigrationHTTPTransport returns a HTTP transport for migration
|
||||
func NewMigrationHTTPTransport() *http.Transport { |
||||
return &http.Transport{ |
||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: setting.Migrations.SkipTLSVerify}, |
||||
Proxy: proxy.Proxy(), |
||||
DialContext: hostmatcher.NewDialContext("migration", allowList, blockList), |
||||
} |
||||
} |
Loading…
Reference in new issue