proto: Drop deprecated `http_host` field in CreateRepositoryFromSnapshot RPC

The `http_host` field was added in order to avoid DNS rebinding attacks. Callers would send us both the pre-resolved URL and the hostname so that we would directly connect to the pre-resolved address, but still be able to set the HTTP `Host` header as expected. This approach was replaced in favor of the new `resolved_address` field, where Gitaly receives the un-resolved URL and resolved IP address so that it can perform the mapping internally. We have thus deprecated the `http_host` field via cbdc529000 (proto: Deprecate `http_host` field, 2022-09-30). Remove the field for the CreateRepositoryFromSnapshot RPC. Changelog: removed
author: Patrick Steinhardt <psteinhardt@gitlab.com> 2023-05-04 09:35:21 +0300
committer: Patrick Steinhardt <psteinhardt@gitlab.com> 2023-05-04 09:43:25 +0300
commit: a92a2b2a776060e5f19a6226a84d183e17ca0b2e (patch)
tree: 49ac049b352ba9e53f7a11d623c5db8f04894a51
parent: d4612961aab7380ebe2352bcc734740fe3efc62c (diff)
4 files changed, 15 insertions, 46 deletions
diff --git a/internal/gitaly/service/repository/create_repository_from_snapshot.go b/internal/gitaly/service/repository/create_repository_from_snapshot.go
index 0584d9a9a..0b39c5402 100644
--- a/internal/gitaly/service/repository/create_repository_from_snapshot.go
+++ b/internal/gitaly/service/repository/create_repository_from_snapshot.go
@@ -101,10 +101,6 @@ func untar(ctx context.Context, path string, in *gitalypb.CreateRepositoryFromSn
 	if in.HttpAuth != "" {
 		req.Header.Set("Authorization", in.HttpAuth)
 	}
-	//nolint:staticcheck
-	if httpHost := in.GetHttpHost(); httpHost != "" {
-		req.Host = httpHost
-	}
 
 	rsp, err := client.Do(req)
 	if err != nil {
diff --git a/internal/gitaly/service/repository/create_repository_from_snapshot_test.go b/internal/gitaly/service/repository/create_repository_from_snapshot_test.go
index 7f81bea0b..bef55949b 100644
--- a/internal/gitaly/service/repository/create_repository_from_snapshot_test.go
+++ b/internal/gitaly/service/repository/create_repository_from_snapshot_test.go
@@ -28,22 +28,16 @@ import (
 
 var (
 	secret       = "Magic secret"
-	host         = "example.com"
 	redirectPath = "/redirecting-snapshot.tar"
 	tarPath      = "/snapshot.tar"
 )
 
 type tarTesthandler struct {
 	tarData io.Reader
-	host    string
 	secret  string
 }
 
 func (h *tarTesthandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if h.host != "" && r.Host != h.host {
-		http.Error(w, "No Host", http.StatusBadRequest)
-		return
-	}
 	if r.Header.Get("Authorization") != h.secret {
 		http.Error(w, "Unauthorized", http.StatusUnauthorized)
 		return
@@ -96,7 +90,7 @@ func TestCreateRepositoryFromSnapshot_success(t *testing.T) {
 	data, entries := generateTarFile(t, sourceRepoPath)
 
 	// Create a HTTP server that serves a given tar file
-	srv := httptest.NewServer(&tarTesthandler{tarData: bytes.NewReader(data), secret: secret, host: host})
+	srv := httptest.NewServer(&tarTesthandler{tarData: bytes.NewReader(data), secret: secret})
 	defer srv.Close()
 
 	repoRelativePath := filepath.Join("non-existing-parent", "repository")
@@ -109,7 +103,6 @@ func TestCreateRepositoryFromSnapshot_success(t *testing.T) {
 		Repository: repo,
 		HttpUrl:    srv.URL + tarPath,
 		HttpAuth:   secret,
-		HttpHost:   host,
 	}
 
 	rsp, err := client.CreateRepositoryFromSnapshot(ctx, req)
@@ -222,7 +215,7 @@ func TestCreateRepositoryFromSnapshot_invalidArguments(t *testing.T) {
 		},
 	}
 
-	srv := httptest.NewServer(&tarTesthandler{secret: secret, host: host})
+	srv := httptest.NewServer(&tarTesthandler{secret: secret})
 	defer srv.Close()
 
 	for _, tc := range testCases {
@@ -238,7 +231,6 @@ func TestCreateRepositoryFromSnapshot_invalidArguments(t *testing.T) {
 				},
 				HttpUrl:         srv.URL + tc.url,
 				HttpAuth:        tc.auth,
-				HttpHost:        host,
 				ResolvedAddress: tc.resolvedAddress,
 			}
 
@@ -269,7 +261,7 @@ func TestCreateRepositoryFromSnapshot_malformedResponse(t *testing.T) {
 	// Only serve half of the tar file
 	dataReader := io.LimitReader(bytes.NewReader(data), int64(len(data)/2))
 
-	srv := httptest.NewServer(&tarTesthandler{tarData: dataReader, secret: secret, host: host})
+	srv := httptest.NewServer(&tarTesthandler{tarData: dataReader, secret: secret})
 	defer srv.Close()
 
 	// Delete the repository so we can re-use the path
@@ -279,7 +271,6 @@ func TestCreateRepositoryFromSnapshot_malformedResponse(t *testing.T) {
 		Repository: repo,
 		HttpUrl:    srv.URL + tarPath,
 		HttpAuth:   secret,
-		HttpHost:   host,
 	}
 
 	rsp, err := client.CreateRepositoryFromSnapshot(ctx, req)
@@ -308,7 +299,7 @@ func TestCreateRepositoryFromSnapshot_resolvedAddressSuccess(t *testing.T) {
 	data, entries := generateTarFile(t, sourceRepoPath)
 
 	// Create a HTTP server that serves a given tar file
-	srv := httptest.NewServer(&tarTesthandler{tarData: bytes.NewReader(data), secret: secret, host: host})
+	srv := httptest.NewServer(&tarTesthandler{tarData: bytes.NewReader(data), secret: secret})
 	defer srv.Close()
 
 	repoRelativePath := gittest.NewRepositoryName(t)
@@ -325,14 +316,13 @@ func TestCreateRepositoryFromSnapshot_resolvedAddressSuccess(t *testing.T) {
 	u, err := url.Parse(srv.URL)
 	require.NoError(t, err)
 
-	randomHostname := fmt.Sprintf("http://www.example.com:%s%s", u.Port(), tarPath)
+	randomHostname := fmt.Sprintf("http://localhost:%s%s", u.Port(), tarPath)
 
 	req := &gitalypb.CreateRepositoryFromSnapshotRequest{
 		Repository:      repo,
 		HttpUrl:         randomHostname,
 		HttpAuth:        secret,
 		ResolvedAddress: u.Hostname(),
-		HttpHost:        host,
 	}
 
 	rsp, err := client.CreateRepositoryFromSnapshot(ctx, req)
diff --git a/proto/go/gitalypb/repository.pb.go b/proto/go/gitalypb/repository.pb.go
index 23a953c4d..2a232ffa2 100644
--- a/proto/go/gitalypb/repository.pb.go
+++ b/proto/go/gitalypb/repository.pb.go
@@ -3300,13 +3300,6 @@ type CreateRepositoryFromSnapshotRequest struct {
 	HttpUrl string `protobuf:"bytes,2,opt,name=http_url,json=httpUrl,proto3" json:"http_url,omitempty"`
 	// This comment is left unintentionally blank.
 	HttpAuth string `protobuf:"bytes,3,opt,name=http_auth,json=httpAuth,proto3" json:"http_auth,omitempty"`
-	// HttpHost is the hostname of the remote snapshot. Use this when the
-	// URL hostname has already been resolved to an IP address to prevent DNS
-	// rebinding. This is deprecated as we will be using resolved_address
-	// going forward.
-	//
-	// Deprecated: Marked as deprecated in repository.proto.
-	HttpHost string `protobuf:"bytes,4,opt,name=http_host,json=httpHost,proto3" json:"http_host,omitempty"`
 	// ResolvedAddress holds the resolved IP address of the remote_url. This is
 	// used to avoid DNS rebinding by mapping the url to the resolved address.
 	// Only IPv4 dotted decimal ("192.0.2.1"), IPv6 ("2001:db8::68"), or IPv4-mapped
@@ -3369,14 +3362,6 @@ func (x *CreateRepositoryFromSnapshotRequest) GetHttpAuth() string {
 	return ""
 }
 
-// Deprecated: Marked as deprecated in repository.proto.
-func (x *CreateRepositoryFromSnapshotRequest) GetHttpHost() string {
-	if x != nil {
-		return x.HttpHost
-	}
-	return ""
-}
-
 func (x *CreateRepositoryFromSnapshotRequest) GetResolvedAddress() string {
 	if x != nil {
 		return x.ResolvedAddress
@@ -5402,7 +5387,7 @@ var file_repository_proto_rawDesc = []byte{
 	0x79, 0x42, 0x04, 0x98, 0xc6, 0x2c, 0x01, 0x52, 0x0a, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74,
 	0x6f, 0x72, 0x79, 0x22, 0x29, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x53, 0x6e, 0x61, 0x70, 0x73, 0x68,
 	0x6f, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x61,
-	0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x22, 0xe3,
+	0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x22, 0xd3,
 	0x01, 0x0a, 0x23, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x52, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74,
 	0x6f, 0x72, 0x79, 0x46, 0x72, 0x6f, 0x6d, 0x53, 0x6e, 0x61, 0x70, 0x73, 0x68, 0x6f, 0x74, 0x52,
 	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x38, 0x0a, 0x0a, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69,
@@ -5412,12 +5397,11 @@ var file_repository_proto_rawDesc = []byte{
 	0x12, 0x19, 0x0a, 0x08, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01,
 	0x28, 0x09, 0x52, 0x07, 0x68, 0x74, 0x74, 0x70, 0x55, 0x72, 0x6c, 0x12, 0x1b, 0x0a, 0x09, 0x68,
 	0x74, 0x74, 0x70, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08,
-	0x68, 0x74, 0x74, 0x70, 0x41, 0x75, 0x74, 0x68, 0x12, 0x1f, 0x0a, 0x09, 0x68, 0x74, 0x74, 0x70,
-	0x5f, 0x68, 0x6f, 0x73, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x42, 0x02, 0x18, 0x01, 0x52,
-	0x08, 0x68, 0x74, 0x74, 0x70, 0x48, 0x6f, 0x73, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x72, 0x65, 0x73,
-	0x6f, 0x6c, 0x76, 0x65, 0x64, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x05, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x0f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x64, 0x41, 0x64, 0x64,
-	0x72, 0x65, 0x73, 0x73, 0x22, 0x26, 0x0a, 0x24, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x52, 0x65,
+	0x68, 0x74, 0x74, 0x70, 0x41, 0x75, 0x74, 0x68, 0x12, 0x29, 0x0a, 0x10, 0x72, 0x65, 0x73, 0x6f,
+	0x6c, 0x76, 0x65, 0x64, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x05, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x0f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x64, 0x41, 0x64, 0x64, 0x72,
+	0x65, 0x73, 0x73, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x52, 0x09, 0x68, 0x74, 0x74, 0x70, 0x5f,
+	0x68, 0x6f, 0x73, 0x74, 0x22, 0x26, 0x0a, 0x24, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x52, 0x65,
 	0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, 0x72, 0x79, 0x46, 0x72, 0x6f, 0x6d, 0x53, 0x6e, 0x61, 0x70,
 	0x73, 0x68, 0x6f, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x96, 0x01, 0x0a,
 	0x14, 0x47, 0x65, 0x74, 0x52, 0x61, 0x77, 0x43, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x52, 0x65,
diff --git a/proto/repository.proto b/proto/repository.proto
index 79aef15d4..9a06c4ba2 100644
--- a/proto/repository.proto
+++ b/proto/repository.proto
@@ -870,11 +870,6 @@ message CreateRepositoryFromSnapshotRequest {
   string http_url = 2;
   // This comment is left unintentionally blank.
   string http_auth = 3;
-  // HttpHost is the hostname of the remote snapshot. Use this when the
-  // URL hostname has already been resolved to an IP address to prevent DNS
-  // rebinding. This is deprecated as we will be using resolved_address
-  // going forward.
-  string http_host = 4 [deprecated=true];
   // ResolvedAddress holds the resolved IP address of the remote_url. This is
   // used to avoid DNS rebinding by mapping the url to the resolved address.
   // Only IPv4 dotted decimal ("192.0.2.1"), IPv6 ("2001:db8::68"), or IPv4-mapped
@@ -882,6 +877,10 @@ message CreateRepositoryFromSnapshotRequest {
   // Works with HTTP/HTTPS protocols.
   // Optional.
   string resolved_address = 5;
+
+  // HttpHost has been removed in favor of ResolvedAddress.
+  reserved 4;
+  reserved "http_host";
 }
 
 // This comment is left unintentionally blank.
author	Patrick Steinhardt <psteinhardt@gitlab.com>	2023-05-04 09:35:21 +0300
committer	Patrick Steinhardt <psteinhardt@gitlab.com>	2023-05-04 09:43:25 +0300
commit	a92a2b2a776060e5f19a6226a84d183e17ca0b2e (patch)
tree	49ac049b352ba9e53f7a11d623c5db8f04894a51
parent	d4612961aab7380ebe2352bcc734740fe3efc62c (diff)