From 6eb3fc69f6a1f705b6f366dc14d306e1409ee721 Mon Sep 17 00:00:00 2001
From: Thong Kuah <tkuah@gitlab.com>
Date: Fri, 26 Oct 2018 23:53:40 +1300
Subject: Monkey kubeclient to not follow any redirects.

This should prevent any malicious server from responding with a location
that will redirect us and expose internal services, as kubeclient's
rest-client will no longer follow redirects.
---
 config/initializers/kubeclient.rb | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'config/initializers')

diff --git a/config/initializers/kubeclient.rb b/config/initializers/kubeclient.rb
index 7f115268b37..2d9f439fdc0 100644
--- a/config/initializers/kubeclient.rb
+++ b/config/initializers/kubeclient.rb
@@ -13,4 +13,25 @@ class Kubeclient::Client
     ns_prefix = build_namespace_prefix(namespace)
     rest_client["#{ns_prefix}#{entity_name_plural}/#{name}:#{port}/proxy"].url
   end
+
+  # Monkey patch to set `max_redirects: 0`, so that kubeclient
+  # does not follow redirects and expose internal services.
+  # See https://gitlab.com/gitlab-org/gitlab-ce/issues/53158
+  def create_rest_client(path = nil)
+    path ||= @api_endpoint.path
+    options = {
+      ssl_ca_file: @ssl_options[:ca_file],
+      ssl_cert_store: @ssl_options[:cert_store],
+      verify_ssl: @ssl_options[:verify_ssl],
+      ssl_client_cert: @ssl_options[:client_cert],
+      ssl_client_key: @ssl_options[:client_key],
+      proxy: @http_proxy_uri,
+      user: @auth_options[:username],
+      password: @auth_options[:password],
+      open_timeout: @timeouts[:open],
+      read_timeout: @timeouts[:read],
+      max_redirects: 0
+    }
+    RestClient::Resource.new(@api_endpoint.merge(path).to_s, options)
+  end
 end
-- 
cgit v1.2.3