2019-09-04 21:01:54 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
module RestClient
|
|
|
|
class Request
|
|
|
|
attr_accessor :hostname_override
|
|
|
|
|
|
|
|
module UrlBlocker
|
|
|
|
def transmit(uri, req, payload, &block)
|
|
|
|
begin
|
|
|
|
ip, hostname_override = Gitlab::UrlBlocker.validate!(uri, allow_local_network: allow_settings_local_requests?,
|
2022-08-27 11:52:29 +05:30
|
|
|
allow_localhost: allow_settings_local_requests?,
|
2023-03-04 22:38:38 +05:30
|
|
|
dns_rebind_protection: dns_rebind_protection?,
|
|
|
|
schemes: %w[http https])
|
2019-09-04 21:01:54 +05:30
|
|
|
|
|
|
|
self.hostname_override = hostname_override
|
|
|
|
rescue Gitlab::UrlBlocker::BlockedUrlError => e
|
2023-03-04 22:38:38 +05:30
|
|
|
raise ArgumentError, "URL is blocked: #{e.message}"
|
2019-09-04 21:01:54 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
# Gitlab::UrlBlocker returns a Addressable::URI which we need to coerce
|
|
|
|
# to URI so that rest-client can use it to determine if it's a
|
|
|
|
# URI::HTTPS or not. It uses it to set `net.use_ssl` to true or not:
|
|
|
|
#
|
|
|
|
# https://github.com/rest-client/rest-client/blob/f450a0f086f1cd1049abbef2a2c66166a1a9ba71/lib/restclient/request.rb#L656
|
|
|
|
ip_as_uri = URI.parse(ip)
|
|
|
|
super(ip_as_uri, req, payload, &block)
|
|
|
|
end
|
|
|
|
|
|
|
|
def net_http_object(hostname, port)
|
|
|
|
super.tap do |http|
|
|
|
|
http.hostname_override = hostname_override if hostname_override
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def dns_rebind_protection?
|
|
|
|
return false if Gitlab.http_proxy_env?
|
|
|
|
|
|
|
|
Gitlab::CurrentSettings.dns_rebinding_protection_enabled?
|
|
|
|
end
|
|
|
|
|
|
|
|
def allow_settings_local_requests?
|
2019-10-12 21:52:04 +05:30
|
|
|
Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?
|
2019-09-04 21:01:54 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
prepend UrlBlocker
|
|
|
|
end
|
|
|
|
end
|