Skip to content

Support allowed hosts for webhook to work with proxy (#27655) #27674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 18, 2023
Merged

Support allowed hosts for webhook to work with proxy (#27655) #27674

merged 1 commit into from
Oct 18, 2023

Conversation

GiteaBot
Copy link
Collaborator

Backport #27655 by @wolfogre

When webhook.PROXY_URL has been set, the old code will check if the proxy host is in ALLOWED_HOST_LIST or reject requests through the proxy. It requires users to add the proxy host to ALLOWED_HOST_LIST. However, it actually allows all requests to any port on the host, when the proxy host is probably an internal address.

But things may be even worse. ALLOWED_HOST_LIST doesn't really work when requests are sent to the allowed proxy, and the proxy could forward them to any hosts.

This PR fixes it by:

  • If the proxy has been set, always allow connectioins to the host and port.
  • Check ALLOWED_HOST_LIST before forwarding.

@wolfogre @GiteaBot
Support allowed hosts for webhook to work with proxy (go-gitea#27655)
d2b3514 
When `webhook.PROXY_URL` has been set, the old code will check if the
proxy host is in `ALLOWED_HOST_LIST` or reject requests through the
proxy. It requires users to add the proxy host to `ALLOWED_HOST_LIST`.
However, it actually allows all requests to any port on the host, when
the proxy host is probably an internal address.

But things may be even worse. `ALLOWED_HOST_LIST` doesn't really work
when requests are sent to the allowed proxy, and the proxy could forward
them to any hosts.

This PR fixes it by:

- If the proxy has been set, always allow connectioins to the host and
port.
- Check `ALLOWED_HOST_LIST` before forwarding.
@GiteaBot GiteaBot added topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug labels Oct 18, 2023
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 18, 2023
@GiteaBot GiteaBot added this to the 1.20.6 milestone Oct 18, 2023
@GiteaBot GiteaBot requested review from appleboy and lunny October 18, 2023 09:44
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Oct 18, 2023
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 18, 2023
@KN4CK3R KN4CK3R merged commit ca4418e into go-gitea:release/v1.20 Oct 18, 2023
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Jan 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lunny lunny lunny approved these changes

@KN4CK3R KN4CK3R KN4CK3R approved these changes

@appleboy appleboy Awaiting requested review from appleboy

Assignees

@wolfogre wolfogre

Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.20.6
Development

Successfully merging this pull request may close these issues.
4 participants
@GiteaBot @lunny @KN4CK3R @wolfogre