Merge branch 'qmnguyen0711/parse-remote-ip-before-propagating' into 'master'

Ignore source port in pack-objects limiting See merge request https://gitlab.com/gitlab-org/gitaly/-/merge_requests/5702 Merged-by: karthik nayak <knayak@gitlab.com> Approved-by: John Cai <jcai@gitlab.com> Approved-by: karthik nayak <knayak@gitlab.com> Co-authored-by: Quang-Minh Nguyen <qmnguyen@gitlab.com>
author: karthik nayak <knayak@gitlab.com> 2023-04-28 16:01:28 +0300
committer: karthik nayak <knayak@gitlab.com> 2023-04-28 16:01:28 +0300
commit: 39c2ecadff55fcb9ecffe9526dcd7ace6fd59265 (patch)
tree: f082b94f081e3e39d3c6534d68a714aa89c72da4
parent: 72a64aac764299b68c572c75ace3ffff7164a23e (diff)
parent: d27c1fa1194fdbfa4e6fb846b651b3b2a6b9c115 (diff)
2 files changed, 83 insertions, 1 deletions
diff --git a/internal/gitaly/service/hook/pack_objects.go b/internal/gitaly/service/hook/pack_objects.go
index 27bfc39b8..6d2f1dc4c 100644
--- a/internal/gitaly/service/hook/pack_objects.go
+++ b/internal/gitaly/service/hook/pack_objects.go
@@ -108,12 +108,18 @@ func (s *server) packObjectsHook(ctx context.Context, req *gitalypb.PackObjectsH
 
 		if featureflag.PackObjectsLimitingRemoteIP.IsEnabled(ctx) && req.GetRemoteIp() != "" {
 			ipAddr := net.ParseIP(req.GetRemoteIp())
+			if ipAddr == nil {
+				// Best effort, maybe the remote IP includes source port
+				if ip, _, err := net.SplitHostPort(req.GetRemoteIp()); err == nil {
+					ipAddr = net.ParseIP(ip)
+				}
+			}
 			// Ignore loop-back IPs
 			if ipAddr != nil && !ipAddr.IsLoopback() {
 				return s.runPackObjectsLimited(
 					ctx,
 					w,
-					req.GetRemoteIp(),
+					ipAddr.String(),
 					req,
 					args,
 					stdin,
diff --git a/internal/gitaly/service/hook/pack_objects_test.go b/internal/gitaly/service/hook/pack_objects_test.go
index d05de7458..ae4b9d992 100644
--- a/internal/gitaly/service/hook/pack_objects_test.go
+++ b/internal/gitaly/service/hook/pack_objects_test.go
@@ -743,6 +743,32 @@ func testPackObjectsConcurrency(t *testing.T, ctx context.Context) {
 				featureflag.PackObjectsLimitingRemoteIP.IsEnabled(ctx),
 		},
 		{
+			desc: "IP addresses including source port",
+			requests: [2]*gitalypb.PackObjectsHookWithSidechannelRequest{
+				{
+					GlId:     "user-123",
+					RemoteIp: "1.2.3.4:47293",
+					Repository: &gitalypb.Repository{
+						StorageName:  "storage-0",
+						RelativePath: "a/b/c",
+					},
+					Args: args,
+				},
+				{
+					GlId:     "user-123",
+					RemoteIp: "1.2.3.4:51010",
+					Repository: &gitalypb.Repository{
+						StorageName:  "storage-0",
+						RelativePath: "a/b/c",
+					},
+					Args: args,
+				},
+			},
+			shouldLimit: featureflag.PackObjectsLimitingRepo.IsEnabled(ctx) ||
+				featureflag.PackObjectsLimitingUser.IsEnabled(ctx) ||
+				featureflag.PackObjectsLimitingRemoteIP.IsEnabled(ctx),
+		},
+		{
 			desc: "IPv4 loopback addresses",
 			requests: [2]*gitalypb.PackObjectsHookWithSidechannelRequest{
 				{
@@ -792,6 +818,56 @@ func testPackObjectsConcurrency(t *testing.T, ctx context.Context) {
 			shouldLimit: featureflag.PackObjectsLimitingRepo.IsEnabled(ctx) ||
 				featureflag.PackObjectsLimitingUser.IsEnabled(ctx),
 		},
+		{
+			desc: "invalid IP addresses",
+			requests: [2]*gitalypb.PackObjectsHookWithSidechannelRequest{
+				{
+					GlId:     "user-123",
+					RemoteIp: "hello-world",
+					Repository: &gitalypb.Repository{
+						StorageName:  "storage-0",
+						RelativePath: "a/b/c",
+					},
+					Args: args,
+				},
+				{
+					GlId:     "user-123",
+					RemoteIp: "hello-world",
+					Repository: &gitalypb.Repository{
+						StorageName:  "storage-0",
+						RelativePath: "a/b/c",
+					},
+					Args: args,
+				},
+			},
+			shouldLimit: featureflag.PackObjectsLimitingRepo.IsEnabled(ctx) ||
+				featureflag.PackObjectsLimitingUser.IsEnabled(ctx),
+		},
+		{
+			desc: "empty IP addresses",
+			requests: [2]*gitalypb.PackObjectsHookWithSidechannelRequest{
+				{
+					GlId:     "user-123",
+					RemoteIp: "",
+					Repository: &gitalypb.Repository{
+						StorageName:  "storage-0",
+						RelativePath: "a/b/c",
+					},
+					Args: args,
+				},
+				{
+					GlId:     "user-123",
+					RemoteIp: "",
+					Repository: &gitalypb.Repository{
+						StorageName:  "storage-0",
+						RelativePath: "a/b/c",
+					},
+					Args: args,
+				},
+			},
+			shouldLimit: featureflag.PackObjectsLimitingRepo.IsEnabled(ctx) ||
+				featureflag.PackObjectsLimitingUser.IsEnabled(ctx),
+		},
 	} {
 		t.Run(tc.desc, func(t *testing.T) {
 			ticker := helper.NewManualTicker()
author	karthik nayak <knayak@gitlab.com>	2023-04-28 16:01:28 +0300
committer	karthik nayak <knayak@gitlab.com>	2023-04-28 16:01:28 +0300
commit	39c2ecadff55fcb9ecffe9526dcd7ace6fd59265 (patch)
tree	f082b94f081e3e39d3c6534d68a714aa89c72da4
parent	72a64aac764299b68c572c75ace3ffff7164a23e (diff)
parent	d27c1fa1194fdbfa4e6fb846b651b3b2a6b9c115 (diff)