domi/forgejo-domi
1
0
Fork 0
forked from forgejo/forgejo
Code Pull requests Activity

Use hostmatcher to replace matchlist, improve security (#17605)

Browse source 
Use hostmacher to replace matchlist.

And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
This commit is contained in:
wxiaoguang 2021-11-20 17:34:05 +08:00 committed by GitHub
parent c96be0cd98
commit 013fb73068
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
33 changed files with 377 additions and 293 deletions
Download patch file Download diff file Expand all files Collapse all files

4
integrations/api_repo_test.go
View file

@ -331,10 +331,10 @@ func TestAPIRepoMigrate(t *testing.T) {
switch respJSON["message"] {
case "Remote visit addressed rate limitation.":
t.Log("test hit github rate limitation")
case "You are not allowed to import from private IPs.":
case "You can not import from disallowed hosts.":
assert.EqualValues(t, "private-ip", testCase.repoName)
default:
t.Errorf("unexpected error '%v' on url '%s'", respJSON["message"], testCase.cloneURL)
assert.Fail(t, "unexpected error '%v' on url '%s'", respJSON["message"], testCase.cloneURL)
}
} else {
assert.EqualValues(t, testCase.expectedStatus, resp.Code)