diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-17 19:05:49 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-17 19:05:49 +0300 |
commit | 43a25d93ebdabea52f99b05e15b06250cd8f07d7 (patch) | |
tree | dceebdc68925362117480a5d672bcff122fb625b /lib/gitlab/middleware | |
parent | 20c84b99005abd1c82101dfeff264ac50d2df211 (diff) |
Add latest changes from gitlab-org/gitlab@16-0-stable-eev16.0.0-rc42
Diffstat (limited to 'lib/gitlab/middleware')
-rw-r--r-- | lib/gitlab/middleware/compressed_json.rb | 39 | ||||
-rw-r--r-- | lib/gitlab/middleware/go.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/middleware/request_context.rb | 12 |
3 files changed, 29 insertions, 24 deletions
diff --git a/lib/gitlab/middleware/compressed_json.rb b/lib/gitlab/middleware/compressed_json.rb index 80916eab5ac..cc485d8a5db 100644 --- a/lib/gitlab/middleware/compressed_json.rb +++ b/lib/gitlab/middleware/compressed_json.rb @@ -4,15 +4,23 @@ module Gitlab module Middleware class CompressedJson COLLECTOR_PATH = '/api/v4/error_tracking/collector' - PACKAGES_PATH = %r{ - \A/api/v4/ (?# prefix) - (?:projects/ - (?<project_id> - .+ (?# at least one character) - )/ - )? (?# projects segment) - packages/npm/-/npm/v1/security/ - (?:(?:advisories/bulk)|(?:audits/quick))\z (?# end) + INSTANCE_PACKAGES_PATH = %r{ + \A/api/v4/packages/npm/-/npm/v1/security/ + (?:(?:advisories/bulk)|(?:audits/quick))\z (?# end) + }xi.freeze + GROUP_PACKAGES_PATH = %r{ + \A/api/v4/groups/ + (?<id> + [a-zA-Z0-9%-._]{1,255} + )/-/packages/npm/-/npm/v1/security/ + (?:(?:advisories/bulk)|(?:audits/quick))\z (?# end) + }xi.freeze + PROJECT_PACKAGES_PATH = %r{ + \A/api/v4/projects/ + (?<id> + [a-zA-Z0-9%-._]{1,255} + )/packages/npm/-/npm/v1/security/ + (?:(?:advisories/bulk)|(?:audits/quick))\z (?# end) }xi.freeze MAXIMUM_BODY_SIZE = 200.kilobytes.to_i UNSAFE_CHARACTERS = %r{[!"#&'()*+,./:;<>=?@\[\]^`{}|~$]}xi.freeze @@ -76,16 +84,19 @@ module Gitlab end def match_packages_path?(env) - match_data = env['PATH_INFO'].delete_prefix(relative_url).match(PACKAGES_PATH) + path = env['PATH_INFO'].delete_prefix(relative_url) + match_data = path.match(INSTANCE_PACKAGES_PATH) || + path.match(PROJECT_PACKAGES_PATH) || + path.match(GROUP_PACKAGES_PATH) return false unless match_data - return true unless match_data[:project_id] # instance level endpoint was matched + return true if match_data.names.empty? # instance level endpoint was matched - url_encoded?(match_data[:project_id]) + url_encoded?(match_data[:id]) end - def url_encoded?(project_id) - project_id !~ UNSAFE_CHARACTERS + def url_encoded?(id) + id !~ UNSAFE_CHARACTERS end end end diff --git a/lib/gitlab/middleware/go.rb b/lib/gitlab/middleware/go.rb index 13f7ab36823..4da5fef9fd7 100644 --- a/lib/gitlab/middleware/go.rb +++ b/lib/gitlab/middleware/go.rb @@ -18,7 +18,7 @@ module Gitlab request = ActionDispatch::Request.new(env) render_go_doc(request) || @app.call(env) - rescue Gitlab::Auth::IpBlacklisted + rescue Gitlab::Auth::IpBlocked Gitlab::AuthLogger.error( message: 'Rack_Attack', status: 403, diff --git a/lib/gitlab/middleware/request_context.rb b/lib/gitlab/middleware/request_context.rb index 07f6f87a68c..f609002007c 100644 --- a/lib/gitlab/middleware/request_context.rb +++ b/lib/gitlab/middleware/request_context.rb @@ -8,15 +8,9 @@ module Gitlab end def call(env) - # We should be using ActionDispatch::Request instead of - # Rack::Request to be consistent with Rails, but due to a Rails - # bug described in - # https://gitlab.com/gitlab-org/gitlab-foss/issues/58573#note_149799010 - # hosts behind a load balancer will only see 127.0.0.1 for the - # load balancer's IP. - req = Rack::Request.new(env) - - ::Gitlab::InstrumentationHelper.init_instrumentation_data(request_ip: req.ip) + request = ActionDispatch::Request.new(env) + Gitlab::RequestContext.start_request_context(request: request) + Gitlab::RequestContext.start_thread_context @app.call(env) end |