1 files changed, 25 insertions, 0 deletions

diff --git a/lib/gitlab/http.rb b/lib/gitlab/http.rb
index c6cd5fbfced..8b19611e5c0 100644
--- a/lib/gitlab/http.rb
+++ b/lib/gitlab/http.rb
@@ -10,6 +10,7 @@ module Gitlab
     RedirectionTooDeep = Class.new(StandardError)
     ReadTotalTimeout = Class.new(Net::ReadTimeout)
     HeaderReadTimeout = Class.new(Net::ReadTimeout)
+    SilentModeBlockedError = Class.new(StandardError)
 
     HTTP_TIMEOUT_ERRORS = [
       Net::OpenTimeout, Net::ReadTimeout, Net::WriteTimeout, Gitlab::HTTP::ReadTotalTimeout
@@ -28,6 +29,13 @@ module Gitlab
     }.freeze
     DEFAULT_READ_TOTAL_TIMEOUT = 30.seconds
 
+    SILENT_MODE_ALLOWED_METHODS = [
+      Net::HTTP::Get,
+      Net::HTTP::Head,
+      Net::HTTP::Options,
+      Net::HTTP::Trace
+    ].freeze
+
     include HTTParty # rubocop:disable Gitlab/HTTParty
 
     class << self
@@ -37,6 +45,8 @@ module Gitlab
     connection_adapter HTTPConnectionAdapter
 
     def self.perform_request(http_method, path, options, &block)
+      raise_if_blocked_by_silent_mode(http_method)
+
       log_info = options.delete(:extra_log_info)
       options_with_timeouts =
         if !options.has_key?(:timeout)
@@ -76,5 +86,20 @@ module Gitlab
     rescue *HTTP_ERRORS
       nil
     end
+
+    def self.raise_if_blocked_by_silent_mode(http_method)
+      return unless blocked_by_silent_mode?(http_method)
+
+      ::Gitlab::SilentMode.log_info(
+        message: 'Outbound HTTP request blocked',
+        outbound_http_request_method: http_method.to_s
+      )
+
+      raise SilentModeBlockedError, 'only get, head, options, and trace methods are allowed in silent mode'
+    end
+
+    def self.blocked_by_silent_mode?(http_method)
+      ::Gitlab::SilentMode.enabled? && SILENT_MODE_ALLOWED_METHODS.exclude?(http_method)
+    end
   end
 end