source.dussan.org Git - gitea.git/commit

author	Giteabot <teabot@gitea.io>
	Wed, 18 Oct 2023 13:07:52 +0000 (21:07 +0800)
committer	GitHub <noreply@github.com>
	Wed, 18 Oct 2023 13:07:52 +0000 (15:07 +0200)
commit	dab40cd5f4dd1ea4a273775f085f03761127d184
tree	8c298753f94bd83d4eef63c112501c8829c2430a	tree \| snapshot
parent	5b80157aad134f0a88910d6b2943d9e043e2ccea	commit \| diff

Support allowed hosts for webhook to work with proxy (#27655) (#27675)

Backport #27655 by @wolfogre

When `webhook.PROXY_URL` has been set, the old code will check if the
proxy host is in `ALLOWED_HOST_LIST` or reject requests through the
proxy. It requires users to add the proxy host to `ALLOWED_HOST_LIST`.
However, it actually allows all requests to any port on the host, when
the proxy host is probably an internal address.

But things may be even worse. `ALLOWED_HOST_LIST` doesn't really work
when requests are sent to the allowed proxy, and the proxy could forward
them to any hosts.

This PR fixes it by:

- If the proxy has been set, always allow connectioins to the host and
port.
- Check `ALLOWED_HOST_LIST` before forwarding.

Co-authored-by: Jason Song <i@wolfogre.com>

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD: https://github.com/go-gitea/gitea

RSS Atom

modules/hostmatcher/http.go		diff \| blob \| history
services/webhook/deliver.go		diff \| blob \| history
services/webhook/deliver_test.go		diff \| blob \| history