2021-12-11 22:18:48 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
module Gitlab
|
|
|
|
module Middleware
|
|
|
|
class CompressedJson
|
|
|
|
COLLECTOR_PATH = '/api/v4/error_tracking/collector'
|
2023-07-09 08:55:56 +05:30
|
|
|
INSTANCE_PACKAGES_PATH = %r{
|
|
|
|
\A/api/v4/packages/npm/-/npm/v1/security/
|
|
|
|
(?:(?:advisories/bulk)|(?:audits/quick))\z (?# end)
|
|
|
|
}xi.freeze
|
|
|
|
GROUP_PACKAGES_PATH = %r{
|
|
|
|
\A/api/v4/groups/
|
|
|
|
(?<id>
|
|
|
|
[a-zA-Z0-9%-._]{1,255}
|
|
|
|
)/-/packages/npm/-/npm/v1/security/
|
|
|
|
(?:(?:advisories/bulk)|(?:audits/quick))\z (?# end)
|
|
|
|
}xi.freeze
|
|
|
|
PROJECT_PACKAGES_PATH = %r{
|
|
|
|
\A/api/v4/projects/
|
|
|
|
(?<id>
|
|
|
|
[a-zA-Z0-9%-._]{1,255}
|
|
|
|
)/packages/npm/-/npm/v1/security/
|
|
|
|
(?:(?:advisories/bulk)|(?:audits/quick))\z (?# end)
|
2023-03-04 22:38:38 +05:30
|
|
|
}xi.freeze
|
2021-12-11 22:18:48 +05:30
|
|
|
MAXIMUM_BODY_SIZE = 200.kilobytes.to_i
|
2023-03-04 22:38:38 +05:30
|
|
|
UNSAFE_CHARACTERS = %r{[!"#&'()*+,./:;<>=?@\[\]^`{}|~$]}xi.freeze
|
2021-12-11 22:18:48 +05:30
|
|
|
|
|
|
|
def initialize(app)
|
|
|
|
@app = app
|
|
|
|
end
|
|
|
|
|
|
|
|
def call(env)
|
|
|
|
if compressed_et_request?(env)
|
|
|
|
input = extract(env['rack.input'])
|
|
|
|
|
|
|
|
if input.length > MAXIMUM_BODY_SIZE
|
|
|
|
return too_large
|
|
|
|
end
|
|
|
|
|
|
|
|
env.delete('HTTP_CONTENT_ENCODING')
|
|
|
|
env['CONTENT_LENGTH'] = input.length
|
|
|
|
env['rack.input'] = StringIO.new(input)
|
|
|
|
end
|
|
|
|
|
|
|
|
@app.call(env)
|
|
|
|
end
|
|
|
|
|
|
|
|
def compressed_et_request?(env)
|
|
|
|
post_request?(env) &&
|
|
|
|
gzip_encoding?(env) &&
|
|
|
|
match_content_type?(env) &&
|
|
|
|
match_path?(env)
|
|
|
|
end
|
|
|
|
|
|
|
|
def too_large
|
|
|
|
[413, { 'Content-Type' => 'text/plain' }, ['Payload Too Large']]
|
|
|
|
end
|
|
|
|
|
|
|
|
def relative_url
|
|
|
|
File.join('', Gitlab.config.gitlab.relative_url_root).chomp('/')
|
|
|
|
end
|
|
|
|
|
|
|
|
def extract(input)
|
|
|
|
Zlib::GzipReader.new(input).read(MAXIMUM_BODY_SIZE + 1)
|
|
|
|
end
|
|
|
|
|
|
|
|
def post_request?(env)
|
|
|
|
env['REQUEST_METHOD'] == 'POST'
|
|
|
|
end
|
|
|
|
|
|
|
|
def gzip_encoding?(env)
|
|
|
|
env['HTTP_CONTENT_ENCODING'] == 'gzip'
|
|
|
|
end
|
|
|
|
|
|
|
|
def match_content_type?(env)
|
2022-07-23 23:45:48 +05:30
|
|
|
env['CONTENT_TYPE'].nil? ||
|
|
|
|
env['CONTENT_TYPE'] == 'application/json' ||
|
2021-12-11 22:18:48 +05:30
|
|
|
env['CONTENT_TYPE'] == 'application/x-sentry-envelope'
|
|
|
|
end
|
|
|
|
|
|
|
|
def match_path?(env)
|
2023-03-04 22:38:38 +05:30
|
|
|
env['PATH_INFO'].start_with?((File.join(relative_url, COLLECTOR_PATH))) ||
|
|
|
|
match_packages_path?(env)
|
|
|
|
end
|
|
|
|
|
|
|
|
def match_packages_path?(env)
|
2023-07-09 08:55:56 +05:30
|
|
|
path = env['PATH_INFO'].delete_prefix(relative_url)
|
|
|
|
match_data = path.match(INSTANCE_PACKAGES_PATH) ||
|
|
|
|
path.match(PROJECT_PACKAGES_PATH) ||
|
|
|
|
path.match(GROUP_PACKAGES_PATH)
|
2023-03-04 22:38:38 +05:30
|
|
|
return false unless match_data
|
|
|
|
|
2023-07-09 08:55:56 +05:30
|
|
|
return true if match_data.names.empty? # instance level endpoint was matched
|
2023-03-04 22:38:38 +05:30
|
|
|
|
2023-07-09 08:55:56 +05:30
|
|
|
url_encoded?(match_data[:id])
|
2023-03-04 22:38:38 +05:30
|
|
|
end
|
|
|
|
|
2023-07-09 08:55:56 +05:30
|
|
|
def url_encoded?(id)
|
|
|
|
id !~ UNSAFE_CHARACTERS
|
2021-12-11 22:18:48 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|