proto: Drop deprecated `http_host` field in FetchRemote RPC

The `http_host` field was added in order to avoid DNS rebinding attacks. Callers would send us both the pre-resolved URL and the hostname so that we would directly connect to the pre-resolved address, but still be able to set the HTTP `Host` header as expected. This approach was replaced in favor of the new `resolved_address` field, where Gitaly receives the un-resolved URL and resolved IP address so that it can perform the mapping internally. We have thus deprecated the `http_host` field via cbdc529000 (proto: Deprecate `http_host` field, 2022-09-30). Remove the field for the FetchRemote RPC. Changelog: removed
author: Patrick Steinhardt <psteinhardt@gitlab.com> 2023-05-04 09:35:21 +0300
committer: Patrick Steinhardt <psteinhardt@gitlab.com> 2023-05-04 09:43:41 +0300
commit: 3a59e721e457b8cdb8613ba8605218bd2f5f565e (patch)
tree: a8fa845475f6d7940c962ee37440a0a6cb71568a
parent: a92a2b2a776060e5f19a6226a84d183e17ca0b2e (diff)
4 files changed, 11 insertions, 45 deletions
diff --git a/internal/gitaly/service/repository/fetch_remote.go b/internal/gitaly/service/repository/fetch_remote.go
index c0ad9293e..fd20156b2 100644
--- a/internal/gitaly/service/repository/fetch_remote.go
+++ b/internal/gitaly/service/repository/fetch_remote.go
@@ -66,14 +66,6 @@ func (s *server) FetchRemote(ctx context.Context, req *gitalypb.FetchRemoteReque
 		})
 	}
 
-	//nolint: staticcheck
-	if host := req.GetRemoteParams().GetHttpHost(); host != "" {
-		config = append(config, git.ConfigPair{
-			Key:   fmt.Sprintf("http.%s.extraHeader", req.GetRemoteParams().GetUrl()),
-			Value: "Host: " + host,
-		})
-	}
-
 	opts.CommandOptions = append(opts.CommandOptions, git.WithConfigEnv(config...))
 
 	sshCommand, cleanup, err := git.BuildSSHInvocation(ctx, req.GetSshKey(), req.GetKnownHosts())
diff --git a/internal/gitaly/service/repository/fetch_remote_test.go b/internal/gitaly/service/repository/fetch_remote_test.go
index 7551c2462..c53dec759 100644
--- a/internal/gitaly/service/repository/fetch_remote_test.go
+++ b/internal/gitaly/service/repository/fetch_remote_test.go
@@ -28,14 +28,9 @@ import (
 
 const (
 	httpToken = "ABCefg0999182"
-	httpHost  = "example.com"
 )
 
 func gitRequestValidation(w http.ResponseWriter, r *http.Request, next http.Handler) {
-	if r.Host != httpHost {
-		http.Error(w, "No Host", http.StatusBadRequest)
-		return
-	}
 	if r.Header.Get("Authorization") != httpToken {
 		http.Error(w, "Unauthorized", http.StatusUnauthorized)
 		return
@@ -784,7 +779,6 @@ func TestFetchRemote(t *testing.T) {
 						RemoteParams: &gitalypb.Remote{
 							Url:                     fmt.Sprintf("http://127.0.0.1:%d/%s", port, "invalid/repo/path.git"),
 							HttpAuthorizationHeader: httpToken,
-							HttpHost:                httpHost,
 						},
 					},
 					runs: []run{
@@ -813,7 +807,6 @@ func TestFetchRemote(t *testing.T) {
 						RemoteParams: &gitalypb.Remote{
 							Url:                     fmt.Sprintf("http://127.0.0.1:%d/%s", port, filepath.Base(remoteRepoPath)),
 							HttpAuthorizationHeader: httpToken,
-							HttpHost:                httpHost,
 						},
 					},
 					runs: []run{
@@ -841,8 +834,7 @@ func TestFetchRemote(t *testing.T) {
 					request: &gitalypb.FetchRemoteRequest{
 						Repository: repoProto,
 						RemoteParams: &gitalypb.Remote{
-							Url:      fmt.Sprintf("http://127.0.0.1:%d/%s", port, filepath.Base(remoteRepoPath)),
-							HttpHost: httpHost,
+							Url: fmt.Sprintf("http://127.0.0.1:%d/%s", port, filepath.Base(remoteRepoPath)),
 						},
 					},
 					runs: []run{
@@ -871,8 +863,7 @@ func TestFetchRemote(t *testing.T) {
 					request: &gitalypb.FetchRemoteRequest{
 						Repository: repoProto,
 						RemoteParams: &gitalypb.Remote{
-							Url:      fmt.Sprintf("http://127.0.0.1:%d/%s", port, filepath.Base(remoteRepoPath)),
-							HttpHost: httpHost,
+							Url: fmt.Sprintf("http://127.0.0.1:%d/%s", port, filepath.Base(remoteRepoPath)),
 						},
 					},
 					runs: []run{
@@ -905,7 +896,6 @@ func TestFetchRemote(t *testing.T) {
 						RemoteParams: &gitalypb.Remote{
 							Url:                     fmt.Sprintf("http://127.0.0.1:%d/%s", port, filepath.Base(remoteRepoPath)),
 							HttpAuthorizationHeader: httpToken,
-							HttpHost:                httpHost,
 						},
 						Timeout: 1,
 					},
diff --git a/proto/go/gitalypb/repository.pb.go b/proto/go/gitalypb/repository.pb.go
index 2a232ffa2..d12d5ee06 100644
--- a/proto/go/gitalypb/repository.pb.go
+++ b/proto/go/gitalypb/repository.pb.go
@@ -3839,12 +3839,6 @@ type Remote struct {
 	//
 	// If no refspecs are given, this defaults to "all_refs".
 	MirrorRefmaps []string `protobuf:"bytes,4,rep,name=mirror_refmaps,json=mirrorRefmaps,proto3" json:"mirror_refmaps,omitempty"`
-	// HttpHost is the hostname of the remote repository. Use this when the
-	// URL hostname has already been resolved to an IP address to prevent DNS
-	// rebinding. This is deprecated as this field is/was never used.
-	//
-	// Deprecated: Marked as deprecated in repository.proto.
-	HttpHost string `protobuf:"bytes,5,opt,name=http_host,json=httpHost,proto3" json:"http_host,omitempty"`
 	// ResolvedAddress holds the resolved IP address of the remote_url. This is
 	// used to avoid DNS rebinding by mapping the url to the resolved address.
 	// Only IPv4 dotted decimal ("192.0.2.1"), IPv6 ("2001:db8::68"), or IPv4-mapped
@@ -3907,14 +3901,6 @@ func (x *Remote) GetMirrorRefmaps() []string {
 	return nil
 }
 
-// Deprecated: Marked as deprecated in repository.proto.
-func (x *Remote) GetHttpHost() string {
-	if x != nil {
-		return x.HttpHost
-	}
-	return ""
-}
-
 func (x *Remote) GetResolvedAddress() string {
 	if x != nil {
 		return x.ResolvedAddress
@@ -5481,7 +5467,7 @@ var file_repository_proto_rawDesc = []byte{
 	0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x6d, 0x61, 0x74, 0x63,
 	0x68, 0x44, 0x61, 0x74, 0x61, 0x12, 0x20, 0x0a, 0x0c, 0x65, 0x6e, 0x64, 0x5f, 0x6f, 0x66, 0x5f,
 	0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x65, 0x6e, 0x64,
-	0x4f, 0x66, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x22, 0xd5, 0x01, 0x0a, 0x06, 0x52, 0x65, 0x6d, 0x6f,
+	0x4f, 0x66, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x22, 0xc5, 0x01, 0x0a, 0x06, 0x52, 0x65, 0x6d, 0x6f,
 	0x74, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
 	0x03, 0x75, 0x72, 0x6c, 0x12, 0x3a, 0x0a, 0x19, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x61, 0x75, 0x74,
 	0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65,
@@ -5489,12 +5475,11 @@ var file_repository_proto_rawDesc = []byte{
 	0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72,
 	0x12, 0x25, 0x0a, 0x0e, 0x6d, 0x69, 0x72, 0x72, 0x6f, 0x72, 0x5f, 0x72, 0x65, 0x66, 0x6d, 0x61,
 	0x70, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x6d, 0x69, 0x72, 0x72, 0x6f, 0x72,
-	0x52, 0x65, 0x66, 0x6d, 0x61, 0x70, 0x73, 0x12, 0x1f, 0x0a, 0x09, 0x68, 0x74, 0x74, 0x70, 0x5f,
-	0x68, 0x6f, 0x73, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x42, 0x02, 0x18, 0x01, 0x52, 0x08,
-	0x68, 0x74, 0x74, 0x70, 0x48, 0x6f, 0x73, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x72, 0x65, 0x73, 0x6f,
-	0x6c, 0x76, 0x65, 0x64, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x06, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x0f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x64, 0x41, 0x64, 0x64, 0x72,
-	0x65, 0x73, 0x73, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x22,
+	0x52, 0x65, 0x66, 0x6d, 0x61, 0x70, 0x73, 0x12, 0x29, 0x0a, 0x10, 0x72, 0x65, 0x73, 0x6f, 0x6c,
+	0x76, 0x65, 0x64, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x06, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x64, 0x41, 0x64, 0x64, 0x72, 0x65,
+	0x73, 0x73, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x52, 0x04,
+	0x6e, 0x61, 0x6d, 0x65, 0x52, 0x09, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x68, 0x6f, 0x73, 0x74, 0x22,
 	0x59, 0x0a, 0x1d, 0x47, 0x65, 0x74, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x44, 0x69, 0x72, 0x65,
 	0x63, 0x74, 0x6f, 0x72, 0x79, 0x53, 0x69, 0x7a, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
 	0x12, 0x38, 0x0a, 0x0a, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, 0x72, 0x79, 0x18, 0x01,
diff --git a/proto/repository.proto b/proto/repository.proto
index 9a06c4ba2..da8027c81 100644
--- a/proto/repository.proto
+++ b/proto/repository.proto
@@ -1019,10 +1019,6 @@ message Remote {
   //
   // If no refspecs are given, this defaults to "all_refs".
   repeated string mirror_refmaps = 4;
-  // HttpHost is the hostname of the remote repository. Use this when the
-  // URL hostname has already been resolved to an IP address to prevent DNS
-  // rebinding. This is deprecated as this field is/was never used.
-  string http_host = 5 [deprecated=true];
   // ResolvedAddress holds the resolved IP address of the remote_url. This is
   // used to avoid DNS rebinding by mapping the url to the resolved address.
   // Only IPv4 dotted decimal ("192.0.2.1"), IPv6 ("2001:db8::68"), or IPv4-mapped
@@ -1039,6 +1035,9 @@ message Remote {
   // field was at best confusing and useless and at worst actively harmful.
   reserved 2;
   reserved "name";
+  // HttpHost has been removed in favor of ResolvedAddress.
+  reserved 5;
+  reserved "http_host";
 }
 
 // This comment is left unintentionally blank.
author	Patrick Steinhardt <psteinhardt@gitlab.com>	2023-05-04 09:35:21 +0300
committer	Patrick Steinhardt <psteinhardt@gitlab.com>	2023-05-04 09:43:41 +0300
commit	3a59e721e457b8cdb8613ba8605218bd2f5f565e (patch)
tree	a8fa845475f6d7940c962ee37440a0a6cb71568a
parent	a92a2b2a776060e5f19a6226a84d183e17ca0b2e (diff)