diff options
| author | Thong Kuah <tkuah@gitlab.com> | 2018-10-26 13:53:40 +0300 |
|---|---|---|
| committer | Mayra Cabrera <mcabrera@gitlab.com> | 2018-10-26 17:47:00 +0300 |
| commit | 6eb3fc69f6a1f705b6f366dc14d306e1409ee721 (patch) | |
| tree | f86030a7c9383ba581f456a3797db8e7814eeb4b /config/initializers | |
| parent | 160ed1d7a1d56135427dfa68980f9653e41bd907 (diff) | |
Monkey kubeclient to not follow any redirects.
This should prevent any malicious server from responding with a location
that will redirect us and expose internal services, as kubeclient's
rest-client will no longer follow redirects.
Diffstat (limited to 'config/initializers')
| -rw-r--r-- | config/initializers/kubeclient.rb | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/config/initializers/kubeclient.rb b/config/initializers/kubeclient.rb index 7f115268b37..2d9f439fdc0 100644 --- a/config/initializers/kubeclient.rb +++ b/config/initializers/kubeclient.rb @@ -13,4 +13,25 @@ class Kubeclient::Client ns_prefix = build_namespace_prefix(namespace) rest_client["#{ns_prefix}#{entity_name_plural}/#{name}:#{port}/proxy"].url end + + # Monkey patch to set `max_redirects: 0`, so that kubeclient + # does not follow redirects and expose internal services. + # See https://gitlab.com/gitlab-org/gitlab-ce/issues/53158 + def create_rest_client(path = nil) + path ||= @api_endpoint.path + options = { + ssl_ca_file: @ssl_options[:ca_file], + ssl_cert_store: @ssl_options[:cert_store], + verify_ssl: @ssl_options[:verify_ssl], + ssl_client_cert: @ssl_options[:client_cert], + ssl_client_key: @ssl_options[:client_key], + proxy: @http_proxy_uri, + user: @auth_options[:username], + password: @auth_options[:password], + open_timeout: @timeouts[:open], + read_timeout: @timeouts[:read], + max_redirects: 0 + } + RestClient::Resource.new(@api_endpoint.merge(path).to_s, options) + end end |