domi/forgejo-domi
1
0
Fork 0
forked from forgejo/forgejo
Code Pull requests Activity

Use hostmatcher to replace matchlist, improve security (#17605)

Browse source 
Use hostmacher to replace matchlist.

And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
This commit is contained in:
wxiaoguang 2021-11-20 17:34:05 +08:00 committed by GitHub
parent c96be0cd98
commit 013fb73068
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
33 changed files with 377 additions and 293 deletions
Download patch file Download diff file Expand all files Collapse all files

8
services/migrations/migrate_test.go
View file

@ -21,7 +21,8 @@ func TestMigrateWhiteBlocklist(t *testing.T) {
adminUser := unittest.AssertExistsAndLoadBean(t, &models.User{Name: "user1"}).(*models.User)
nonAdminUser := unittest.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)
setting.Migrations.AllowedDomains = []string{"github.com"}
setting.Migrations.AllowedDomains = "github.com"
setting.Migrations.AllowLocalNetworks = false
assert.NoError(t, Init())
err := IsMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git", nonAdminUser)
@ -33,8 +34,8 @@ func TestMigrateWhiteBlocklist(t *testing.T) {
err = IsMigrateURLAllowed("https://gITHUb.com/go-gitea/gitea.git", nonAdminUser)
assert.NoError(t, err)
setting.Migrations.AllowedDomains = []string{}
setting.Migrations.BlockedDomains = []string{"github.com"}
setting.Migrations.AllowedDomains = ""
setting.Migrations.BlockedDomains = "github.com"
assert.NoError(t, Init())
err = IsMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git", nonAdminUser)
@ -47,6 +48,7 @@ func TestMigrateWhiteBlocklist(t *testing.T) {
assert.Error(t, err)
setting.Migrations.AllowLocalNetworks = true
assert.NoError(t, Init())
err = IsMigrateURLAllowed("https://10.0.0.1/go-gitea/gitea.git", nonAdminUser)
assert.NoError(t, err)