Merge remote-tracking branch 'dev/1-58-stable' into 1-58-stable1-58-stable

author: skarbek <jskarbek@gitlab.com> 2022-07-28 19:37:51 +0300
committer: skarbek <jskarbek@gitlab.com> 2022-07-28 19:37:51 +0300
commit: 5bf8f67527377440f381981fc0fcd900fb832ca3 (patch)
tree: 70fce8667cfe1242f17357ac62b2d8be559f6bad
parent: a80c58682c3c313f52deecdebecfef2d1f7e3b21 (diff)
parent: 74f53f4c5a5c81a65e3666ef6788d14d2de23588 (diff)
4 files changed, 33 insertions, 6 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5f044e9d..9e3c9bfd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.58.1 (2022-07-12)
+
+### Security (1 change)
+
+- [Include remote address through X-Forwarded-For in job artifact request](gitlab-org/security/gitlab-pages@42f01f5365b65058faa5d3e53681c06034dfe3dd) ([merge request](gitlab-org/security/gitlab-pages!40))
+
 ## 1.58.0 (2022-05-17)
 
 ### Changed (3 changes)
diff --git a/VERSION b/VERSION
index 79f82f6b..69478d18 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.58.0
+1.58.1
diff --git a/internal/artifact/artifact.go b/internal/artifact/artifact.go
index dab1fb91..e33a9ab9 100644
--- a/internal/artifact/artifact.go
+++ b/internal/artifact/artifact.go
@@ -17,6 +17,7 @@ import (
 	"gitlab.com/gitlab-org/gitlab-pages/internal/httperrors"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/httptransport"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/logging"
+	"gitlab.com/gitlab-org/gitlab-pages/internal/request"
 )
 
 const (
@@ -88,6 +89,11 @@ func (a *Artifact) makeRequest(w http.ResponseWriter, r *http.Request, reqURL *u
 	if token != "" {
 		req.Header.Add("Authorization", "Bearer "+token)
 	}
+
+	// The GitLab API expects this value for Group IP restriction to work properly
+	// on requests coming through Pages.
+	req.Header.Set("X-Forwarded-For", request.GetRemoteAddrWithoutPort(r))
+
 	resp, err := a.client.Do(req)
 	if err != nil {
 		if errors.Is(err, context.Canceled) {
diff --git a/internal/artifact/artifact_test.go b/internal/artifact/artifact_test.go
index b8c2771b..472c0d7b 100644
--- a/internal/artifact/artifact_test.go
+++ b/internal/artifact/artifact_test.go
@@ -16,8 +16,6 @@ import (
 func TestTryMakeRequest(t *testing.T) {
 	content := "<!DOCTYPE html><html><head><title>Title of the document</title></head><body></body></html>"
 	contentType := "text/html; charset=utf-8"
-	testServer := makeArtifactServerStub(t, content, contentType)
-	defer testServer.Close()
 
 	cases := []struct {
 		Path         string
@@ -28,6 +26,8 @@ func TestTryMakeRequest(t *testing.T) {
 		CacheControl string
 		ContentType  string
 		Description  string
+		RemoteAddr   string
+		ForwardedIP  string
 	}{
 		{
 			"/200.html",
@@ -38,6 +38,8 @@ func TestTryMakeRequest(t *testing.T) {
 			"max-age=3600",
 			"text/html; charset=utf-8",
 			"basic successful request",
+			"1.2.3.4:8000",
+			"1.2.3.4",
 		},
 		{
 			"/200.html",
@@ -48,6 +50,8 @@ func TestTryMakeRequest(t *testing.T) {
 			"",
 			"text/html; charset=utf-8",
 			"basic successful request",
+			"1.2.3.4",
+			"1.2.3.4",
 		},
 		{
 			"/max-caching.html",
@@ -58,6 +62,8 @@ func TestTryMakeRequest(t *testing.T) {
 			"max-age=3600",
 			"text/html; charset=utf-8",
 			"max caching request",
+			"1.2.3.4",
+			"1.2.3.4",
 		},
 		{
 			"/non-caching.html",
@@ -68,17 +74,24 @@ func TestTryMakeRequest(t *testing.T) {
 			"",
 			"text/html; charset=utf-8",
 			"no caching request",
+			"1.2.3.4",
+			"1.2.3.4",
 		},
 	}
 
 	for _, c := range cases {
 		t.Run(c.Description, func(t *testing.T) {
-			result := httptest.NewRecorder()
+			testServer := makeArtifactServerStub(t, content, contentType, c.ForwardedIP)
+			defer testServer.Close()
+
 			reqURL, err := url.Parse("/-/subgroup/project/-/jobs/1/artifacts" + c.Path)
 			require.NoError(t, err)
 			r := &http.Request{URL: reqURL}
+			r.RemoteAddr = c.RemoteAddr
 			art := artifact.New(testServer.URL, 1, "gitlab-example.io")
 
+			result := httptest.NewRecorder()
+
 			require.True(t, art.TryMakeRequest("group.gitlab-example.io", result, r, c.Token, func(resp *http.Response) bool { return false }))
 			require.Equal(t, c.Status, result.Code)
 			require.Equal(t, c.ContentType, result.Header().Get("Content-Type"))
@@ -90,8 +103,10 @@ func TestTryMakeRequest(t *testing.T) {
 }
 
 // provide stub for testing different artifact responses
-func makeArtifactServerStub(t *testing.T, content string, contentType string) *httptest.Server {
+func makeArtifactServerStub(t *testing.T, content string, contentType string, expectedForwardedIP string) *httptest.Server {
 	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, expectedForwardedIP, r.Header.Get("X-Forwarded-For"))
+
 		w.Header().Set("Content-Type", contentType)
 		switch r.URL.RawPath {
 		case "/projects/group%2Fsubgroup%2Fproject/jobs/1/artifacts/200.html":
@@ -280,7 +295,7 @@ func TestBuildURL(t *testing.T) {
 func TestContextCanceled(t *testing.T) {
 	content := "<!DOCTYPE html><html><head><title>Title of the document</title></head><body></body></html>"
 	contentType := "text/html; charset=utf-8"
-	testServer := makeArtifactServerStub(t, content, contentType)
+	testServer := makeArtifactServerStub(t, content, contentType, "")
 	t.Cleanup(testServer.Close)
 
 	result := httptest.NewRecorder()
author	skarbek <jskarbek@gitlab.com>	2022-07-28 19:37:51 +0300
committer	skarbek <jskarbek@gitlab.com>	2022-07-28 19:37:51 +0300
commit	5bf8f67527377440f381981fc0fcd900fb832ca3 (patch)
tree	70fce8667cfe1242f17357ac62b2d8be559f6bad
parent	a80c58682c3c313f52deecdebecfef2d1f7e3b21 (diff)
parent	74f53f4c5a5c81a65e3666ef6788d14d2de23588 (diff)