diff options
author | Thong Kuah <tkuah@gitlab.com> | 2019-02-14 02:41:38 +0300 |
---|---|---|
committer | Thong Kuah <tkuah@gitlab.com> | 2019-02-21 13:17:08 +0300 |
commit | e5181ff4facbf61bcb284e0d3a8d1fd2e8119b06 (patch) | |
tree | 201455cedd159085bfff6426ed246e8aea20853c /lib/gitlab | |
parent | b8b18dd6d27b702d434ab87297d4cc3c1adffa67 (diff) |
Do not allow local urls in Kubernetes form
Use existing `public_url` validation to block various local urls. Note
that this validation will allow local urls if the "Allow requests to the
local network from hooks and services" admin setting is enabled.
Block KubeClient from using local addresses
It will also respect `allow_local_requests_from_hooks_and_services` so
if that is enabled KubeClinet will allow local addresses
Diffstat (limited to 'lib/gitlab')
-rw-r--r-- | lib/gitlab/kubernetes/kube_client.rb | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/gitlab/kubernetes/kube_client.rb b/lib/gitlab/kubernetes/kube_client.rb index 624c2c67551..de14df56555 100644 --- a/lib/gitlab/kubernetes/kube_client.rb +++ b/lib/gitlab/kubernetes/kube_client.rb @@ -82,6 +82,8 @@ module Gitlab def initialize(api_prefix, **kubeclient_options) @api_prefix = api_prefix @kubeclient_options = kubeclient_options.merge(http_max_redirects: 0) + + validate_url! end def create_or_update_cluster_role_binding(resource) @@ -118,6 +120,12 @@ module Gitlab private + def validate_url! + return if Gitlab::CurrentSettings.allow_local_requests_from_hooks_and_services? + + Gitlab::UrlBlocker.validate!(api_prefix, allow_local_network: false) + end + def cluster_role_binding_exists?(resource) get_cluster_role_binding(resource.metadata.name) rescue ::Kubeclient::ResourceNotFoundError |