diff options
author | Patrick Steinhardt <psteinhardt@gitlab.com> | 2023-05-04 09:35:21 +0300 |
---|---|---|
committer | Patrick Steinhardt <psteinhardt@gitlab.com> | 2023-05-04 09:43:25 +0300 |
commit | a92a2b2a776060e5f19a6226a84d183e17ca0b2e (patch) | |
tree | 49ac049b352ba9e53f7a11d623c5db8f04894a51 | |
parent | d4612961aab7380ebe2352bcc734740fe3efc62c (diff) |
proto: Drop deprecated `http_host` field in CreateRepositoryFromSnapshot RPC
The `http_host` field was added in order to avoid DNS rebinding attacks.
Callers would send us both the pre-resolved URL and the hostname so that
we would directly connect to the pre-resolved address, but still be able
to set the HTTP `Host` header as expected. This approach was replaced
in favor of the new `resolved_address` field, where Gitaly receives the
un-resolved URL and resolved IP address so that it can perform the
mapping internally.
We have thus deprecated the `http_host` field via cbdc529000 (proto:
Deprecate `http_host` field, 2022-09-30). Remove the field for the
CreateRepositoryFromSnapshot RPC.
Changelog: removed
4 files changed, 15 insertions, 46 deletions
diff --git a/internal/gitaly/service/repository/create_repository_from_snapshot.go b/internal/gitaly/service/repository/create_repository_from_snapshot.go index 0584d9a9a..0b39c5402 100644 --- a/internal/gitaly/service/repository/create_repository_from_snapshot.go +++ b/internal/gitaly/service/repository/create_repository_from_snapshot.go @@ -101,10 +101,6 @@ func untar(ctx context.Context, path string, in *gitalypb.CreateRepositoryFromSn if in.HttpAuth != "" { req.Header.Set("Authorization", in.HttpAuth) } - //nolint:staticcheck - if httpHost := in.GetHttpHost(); httpHost != "" { - req.Host = httpHost - } rsp, err := client.Do(req) if err != nil { diff --git a/internal/gitaly/service/repository/create_repository_from_snapshot_test.go b/internal/gitaly/service/repository/create_repository_from_snapshot_test.go index 7f81bea0b..bef55949b 100644 --- a/internal/gitaly/service/repository/create_repository_from_snapshot_test.go +++ b/internal/gitaly/service/repository/create_repository_from_snapshot_test.go @@ -28,22 +28,16 @@ import ( var ( secret = "Magic secret" - host = "example.com" redirectPath = "/redirecting-snapshot.tar" tarPath = "/snapshot.tar" ) type tarTesthandler struct { tarData io.Reader - host string secret string } func (h *tarTesthandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { - if h.host != "" && r.Host != h.host { - http.Error(w, "No Host", http.StatusBadRequest) - return - } if r.Header.Get("Authorization") != h.secret { http.Error(w, "Unauthorized", http.StatusUnauthorized) return @@ -96,7 +90,7 @@ func TestCreateRepositoryFromSnapshot_success(t *testing.T) { data, entries := generateTarFile(t, sourceRepoPath) // Create a HTTP server that serves a given tar file - srv := httptest.NewServer(&tarTesthandler{tarData: bytes.NewReader(data), secret: secret, host: host}) + srv := httptest.NewServer(&tarTesthandler{tarData: bytes.NewReader(data), secret: secret}) defer srv.Close() repoRelativePath := filepath.Join("non-existing-parent", "repository") @@ -109,7 +103,6 @@ func TestCreateRepositoryFromSnapshot_success(t *testing.T) { Repository: repo, HttpUrl: srv.URL + tarPath, HttpAuth: secret, - HttpHost: host, } rsp, err := client.CreateRepositoryFromSnapshot(ctx, req) @@ -222,7 +215,7 @@ func TestCreateRepositoryFromSnapshot_invalidArguments(t *testing.T) { }, } - srv := httptest.NewServer(&tarTesthandler{secret: secret, host: host}) + srv := httptest.NewServer(&tarTesthandler{secret: secret}) defer srv.Close() for _, tc := range testCases { @@ -238,7 +231,6 @@ func TestCreateRepositoryFromSnapshot_invalidArguments(t *testing.T) { }, HttpUrl: srv.URL + tc.url, HttpAuth: tc.auth, - HttpHost: host, ResolvedAddress: tc.resolvedAddress, } @@ -269,7 +261,7 @@ func TestCreateRepositoryFromSnapshot_malformedResponse(t *testing.T) { // Only serve half of the tar file dataReader := io.LimitReader(bytes.NewReader(data), int64(len(data)/2)) - srv := httptest.NewServer(&tarTesthandler{tarData: dataReader, secret: secret, host: host}) + srv := httptest.NewServer(&tarTesthandler{tarData: dataReader, secret: secret}) defer srv.Close() // Delete the repository so we can re-use the path @@ -279,7 +271,6 @@ func TestCreateRepositoryFromSnapshot_malformedResponse(t *testing.T) { Repository: repo, HttpUrl: srv.URL + tarPath, HttpAuth: secret, - HttpHost: host, } rsp, err := client.CreateRepositoryFromSnapshot(ctx, req) @@ -308,7 +299,7 @@ func TestCreateRepositoryFromSnapshot_resolvedAddressSuccess(t *testing.T) { data, entries := generateTarFile(t, sourceRepoPath) // Create a HTTP server that serves a given tar file - srv := httptest.NewServer(&tarTesthandler{tarData: bytes.NewReader(data), secret: secret, host: host}) + srv := httptest.NewServer(&tarTesthandler{tarData: bytes.NewReader(data), secret: secret}) defer srv.Close() repoRelativePath := gittest.NewRepositoryName(t) @@ -325,14 +316,13 @@ func TestCreateRepositoryFromSnapshot_resolvedAddressSuccess(t *testing.T) { u, err := url.Parse(srv.URL) require.NoError(t, err) - randomHostname := fmt.Sprintf("http://www.example.com:%s%s", u.Port(), tarPath) + randomHostname := fmt.Sprintf("http://localhost:%s%s", u.Port(), tarPath) req := &gitalypb.CreateRepositoryFromSnapshotRequest{ Repository: repo, HttpUrl: randomHostname, HttpAuth: secret, ResolvedAddress: u.Hostname(), - HttpHost: host, } rsp, err := client.CreateRepositoryFromSnapshot(ctx, req) diff --git a/proto/go/gitalypb/repository.pb.go b/proto/go/gitalypb/repository.pb.go index 23a953c4d..2a232ffa2 100644 --- a/proto/go/gitalypb/repository.pb.go +++ b/proto/go/gitalypb/repository.pb.go @@ -3300,13 +3300,6 @@ type CreateRepositoryFromSnapshotRequest struct { HttpUrl string `protobuf:"bytes,2,opt,name=http_url,json=httpUrl,proto3" json:"http_url,omitempty"` // This comment is left unintentionally blank. HttpAuth string `protobuf:"bytes,3,opt,name=http_auth,json=httpAuth,proto3" json:"http_auth,omitempty"` - // HttpHost is the hostname of the remote snapshot. Use this when the - // URL hostname has already been resolved to an IP address to prevent DNS - // rebinding. This is deprecated as we will be using resolved_address - // going forward. - // - // Deprecated: Marked as deprecated in repository.proto. - HttpHost string `protobuf:"bytes,4,opt,name=http_host,json=httpHost,proto3" json:"http_host,omitempty"` // ResolvedAddress holds the resolved IP address of the remote_url. This is // used to avoid DNS rebinding by mapping the url to the resolved address. // Only IPv4 dotted decimal ("192.0.2.1"), IPv6 ("2001:db8::68"), or IPv4-mapped @@ -3369,14 +3362,6 @@ func (x *CreateRepositoryFromSnapshotRequest) GetHttpAuth() string { return "" } -// Deprecated: Marked as deprecated in repository.proto. -func (x *CreateRepositoryFromSnapshotRequest) GetHttpHost() string { - if x != nil { - return x.HttpHost - } - return "" -} - func (x *CreateRepositoryFromSnapshotRequest) GetResolvedAddress() string { if x != nil { return x.ResolvedAddress @@ -5402,7 +5387,7 @@ var file_repository_proto_rawDesc = []byte{ 0x79, 0x42, 0x04, 0x98, 0xc6, 0x2c, 0x01, 0x52, 0x0a, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, 0x72, 0x79, 0x22, 0x29, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x53, 0x6e, 0x61, 0x70, 0x73, 0x68, 0x6f, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x61, - 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x22, 0xe3, + 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x22, 0xd3, 0x01, 0x0a, 0x23, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x52, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, 0x72, 0x79, 0x46, 0x72, 0x6f, 0x6d, 0x53, 0x6e, 0x61, 0x70, 0x73, 0x68, 0x6f, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x38, 0x0a, 0x0a, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, @@ -5412,12 +5397,11 @@ var file_repository_proto_rawDesc = []byte{ 0x12, 0x19, 0x0a, 0x08, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x68, 0x74, 0x74, 0x70, 0x55, 0x72, 0x6c, 0x12, 0x1b, 0x0a, 0x09, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, - 0x68, 0x74, 0x74, 0x70, 0x41, 0x75, 0x74, 0x68, 0x12, 0x1f, 0x0a, 0x09, 0x68, 0x74, 0x74, 0x70, - 0x5f, 0x68, 0x6f, 0x73, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x42, 0x02, 0x18, 0x01, 0x52, - 0x08, 0x68, 0x74, 0x74, 0x70, 0x48, 0x6f, 0x73, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x72, 0x65, 0x73, - 0x6f, 0x6c, 0x76, 0x65, 0x64, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x05, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x0f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x64, 0x41, 0x64, 0x64, - 0x72, 0x65, 0x73, 0x73, 0x22, 0x26, 0x0a, 0x24, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x52, 0x65, + 0x68, 0x74, 0x74, 0x70, 0x41, 0x75, 0x74, 0x68, 0x12, 0x29, 0x0a, 0x10, 0x72, 0x65, 0x73, 0x6f, + 0x6c, 0x76, 0x65, 0x64, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x05, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x0f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x64, 0x41, 0x64, 0x64, 0x72, + 0x65, 0x73, 0x73, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x52, 0x09, 0x68, 0x74, 0x74, 0x70, 0x5f, + 0x68, 0x6f, 0x73, 0x74, 0x22, 0x26, 0x0a, 0x24, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x52, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, 0x72, 0x79, 0x46, 0x72, 0x6f, 0x6d, 0x53, 0x6e, 0x61, 0x70, 0x73, 0x68, 0x6f, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x96, 0x01, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x52, 0x61, 0x77, 0x43, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x52, 0x65, diff --git a/proto/repository.proto b/proto/repository.proto index 79aef15d4..9a06c4ba2 100644 --- a/proto/repository.proto +++ b/proto/repository.proto @@ -870,11 +870,6 @@ message CreateRepositoryFromSnapshotRequest { string http_url = 2; // This comment is left unintentionally blank. string http_auth = 3; - // HttpHost is the hostname of the remote snapshot. Use this when the - // URL hostname has already been resolved to an IP address to prevent DNS - // rebinding. This is deprecated as we will be using resolved_address - // going forward. - string http_host = 4 [deprecated=true]; // ResolvedAddress holds the resolved IP address of the remote_url. This is // used to avoid DNS rebinding by mapping the url to the resolved address. // Only IPv4 dotted decimal ("192.0.2.1"), IPv6 ("2001:db8::68"), or IPv4-mapped @@ -882,6 +877,10 @@ message CreateRepositoryFromSnapshotRequest { // Works with HTTP/HTTPS protocols. // Optional. string resolved_address = 5; + + // HttpHost has been removed in favor of ResolvedAddress. + reserved 4; + reserved "http_host"; } // This comment is left unintentionally blank. |