Use hostmatcher to replace matchlist, improve security (#17605)

Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
2021-11-20 17:34:05 +08:00 · 2021-11-20 17:34:05 +08:00 · 013fb73068
commit 013fb73068
parent c96be0cd98
33 changed files with 377 additions and 293 deletions
--- a/modules/setting/migrations.go
+++ b/modules/setting/migrations.go
@ -4,17 +4,13 @@

 package setting

-import (
-	"strings"
-)
-
 var (
 	// Migrations settings
 	Migrations = struct {
 		MaxAttempts        int
 		RetryBackoff       int
-		AllowedDomains     []string
-		BlockedDomains     []string
+		AllowedDomains     string
+		BlockedDomains     string
 		AllowLocalNetworks bool
 		SkipTLSVerify      bool
 	}{
@ -28,15 +24,8 @@ func newMigrationsService() {
 	Migrations.MaxAttempts = sec.Key("MAX_ATTEMPTS").MustInt(Migrations.MaxAttempts)
 	Migrations.RetryBackoff = sec.Key("RETRY_BACKOFF").MustInt(Migrations.RetryBackoff)

-	Migrations.AllowedDomains = sec.Key("ALLOWED_DOMAINS").Strings(",")
-	for i := range Migrations.AllowedDomains {
-		Migrations.AllowedDomains[i] = strings.ToLower(Migrations.AllowedDomains[i])
-	}
-	Migrations.BlockedDomains = sec.Key("BLOCKED_DOMAINS").Strings(",")
-	for i := range Migrations.BlockedDomains {
-		Migrations.BlockedDomains[i] = strings.ToLower(Migrations.BlockedDomains[i])
-	}
-
+	Migrations.AllowedDomains = sec.Key("ALLOWED_DOMAINS").MustString("")
+	Migrations.BlockedDomains = sec.Key("BLOCKED_DOMAINS").MustString("")
 	Migrations.AllowLocalNetworks = sec.Key("ALLOW_LOCALNETWORKS").MustBool(false)
 	Migrations.SkipTLSVerify = sec.Key("SKIP_TLS_VERIFY").MustBool(false)
 }
--- a/modules/setting/webhook.go
+++ b/modules/setting/webhook.go
@ -7,7 +7,6 @@ package setting
 import (
 	"net/url"

-	"code.gitea.io/gitea/modules/hostmatcher"
 	"code.gitea.io/gitea/modules/log"
 )

@ -17,7 +16,7 @@ var (
 		QueueLength     int
 		DeliverTimeout  int
 		SkipTLSVerify   bool
-		AllowedHostList *hostmatcher.HostMatchList
+		AllowedHostList string
 		Types           []string
 		PagingNum       int
 		ProxyURL        string
@ -38,7 +37,7 @@ func newWebhookService() {
 	Webhook.QueueLength = sec.Key("QUEUE_LENGTH").MustInt(1000)
 	Webhook.DeliverTimeout = sec.Key("DELIVER_TIMEOUT").MustInt(5)
 	Webhook.SkipTLSVerify = sec.Key("SKIP_TLS_VERIFY").MustBool()
-	Webhook.AllowedHostList = hostmatcher.ParseHostMatchList(sec.Key("ALLOWED_HOST_LIST").MustString(hostmatcher.MatchBuiltinExternal))
+	Webhook.AllowedHostList = sec.Key("ALLOWED_HOST_LIST").MustString("")
 	Webhook.Types = []string{"gitea", "gogs", "slack", "discord", "dingtalk", "telegram", "msteams", "feishu", "matrix", "wechatwork"}
 	Webhook.PagingNum = sec.Key("PAGING_NUM").MustInt(10)
 	Webhook.ProxyURL = sec.Key("PROXY_URL").MustString("")