summaryrefslogtreecommitdiffstats
path: root/modules/lfs
diff options
context:
space:
mode:
authorwxiaoguang <wxiaoguang@gmail.com>2021-11-20 17:34:05 +0800
committerGitHub <noreply@github.com>2021-11-20 17:34:05 +0800
commit013fb73068281b45b33c72abaae0c42c8d79c499 (patch)
tree5cb710ea15a6f471648ecf19e2fdfab9804cb084 /modules/lfs
parentc96be0cd982255f20a3fe6ff4683115b8073e65e (diff)
downloadgitea-013fb73068281b45b33c72abaae0c42c8d79c499.tar.gz
gitea-013fb73068281b45b33c72abaae0c42c8d79c499.zip
Use `hostmatcher` to replace `matchlist`, improve security (#17605)
Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
Diffstat (limited to 'modules/lfs')
-rw-r--r--modules/lfs/client.go5
-rw-r--r--modules/lfs/client_test.go4
-rw-r--r--modules/lfs/http_client.go14
3 files changed, 13 insertions, 10 deletions
diff --git a/modules/lfs/client.go b/modules/lfs/client.go
index 81b047c5bd..aaf61aefcf 100644
--- a/modules/lfs/client.go
+++ b/modules/lfs/client.go
@@ -7,6 +7,7 @@ package lfs
import (
"context"
"io"
+ "net/http"
"net/url"
)
@@ -24,9 +25,9 @@ type Client interface {
}
// NewClient creates a LFS client
-func NewClient(endpoint *url.URL, skipTLSVerify bool) Client {
+func NewClient(endpoint *url.URL, httpTransport *http.Transport) Client {
if endpoint.Scheme == "file" {
return newFilesystemClient(endpoint)
}
- return newHTTPClient(endpoint, skipTLSVerify)
+ return newHTTPClient(endpoint, httpTransport)
}
diff --git a/modules/lfs/client_test.go b/modules/lfs/client_test.go
index ee6b7a59fc..88986f06d6 100644
--- a/modules/lfs/client_test.go
+++ b/modules/lfs/client_test.go
@@ -13,10 +13,10 @@ import (
func TestNewClient(t *testing.T) {
u, _ := url.Parse("file:///test")
- c := NewClient(u, true)
+ c := NewClient(u, nil)
assert.IsType(t, &FilesystemClient{}, c)
u, _ = url.Parse("https://test.com/lfs")
- c = NewClient(u, true)
+ c = NewClient(u, nil)
assert.IsType(t, &HTTPClient{}, c)
}
diff --git a/modules/lfs/http_client.go b/modules/lfs/http_client.go
index 5df5ed33a9..a1a3e7f363 100644
--- a/modules/lfs/http_client.go
+++ b/modules/lfs/http_client.go
@@ -7,7 +7,6 @@ package lfs
import (
"bytes"
"context"
- "crypto/tls"
"errors"
"fmt"
"net/http"
@@ -34,12 +33,15 @@ func (c *HTTPClient) BatchSize() int {
return batchSize
}
-func newHTTPClient(endpoint *url.URL, skipTLSVerify bool) *HTTPClient {
+func newHTTPClient(endpoint *url.URL, httpTransport *http.Transport) *HTTPClient {
+ if httpTransport == nil {
+ httpTransport = &http.Transport{
+ Proxy: proxy.Proxy(),
+ }
+ }
+
hc := &http.Client{
- Transport: &http.Transport{
- TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSVerify},
- Proxy: proxy.Proxy(),
- },
+ Transport: httpTransport,
}
client := &HTTPClient{