diff options
author | wxiaoguang <wxiaoguang@gmail.com> | 2021-11-20 17:34:05 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-20 17:34:05 +0800 |
commit | 013fb73068281b45b33c72abaae0c42c8d79c499 (patch) | |
tree | 5cb710ea15a6f471648ecf19e2fdfab9804cb084 /modules/lfs | |
parent | c96be0cd982255f20a3fe6ff4683115b8073e65e (diff) | |
download | gitea-013fb73068281b45b33c72abaae0c42c8d79c499.tar.gz gitea-013fb73068281b45b33c72abaae0c42c8d79c499.zip |
Use `hostmatcher` to replace `matchlist`, improve security (#17605)
Use hostmacher to replace matchlist.
And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
Diffstat (limited to 'modules/lfs')
-rw-r--r-- | modules/lfs/client.go | 5 | ||||
-rw-r--r-- | modules/lfs/client_test.go | 4 | ||||
-rw-r--r-- | modules/lfs/http_client.go | 14 |
3 files changed, 13 insertions, 10 deletions
diff --git a/modules/lfs/client.go b/modules/lfs/client.go index 81b047c5bd..aaf61aefcf 100644 --- a/modules/lfs/client.go +++ b/modules/lfs/client.go @@ -7,6 +7,7 @@ package lfs import ( "context" "io" + "net/http" "net/url" ) @@ -24,9 +25,9 @@ type Client interface { } // NewClient creates a LFS client -func NewClient(endpoint *url.URL, skipTLSVerify bool) Client { +func NewClient(endpoint *url.URL, httpTransport *http.Transport) Client { if endpoint.Scheme == "file" { return newFilesystemClient(endpoint) } - return newHTTPClient(endpoint, skipTLSVerify) + return newHTTPClient(endpoint, httpTransport) } diff --git a/modules/lfs/client_test.go b/modules/lfs/client_test.go index ee6b7a59fc..88986f06d6 100644 --- a/modules/lfs/client_test.go +++ b/modules/lfs/client_test.go @@ -13,10 +13,10 @@ import ( func TestNewClient(t *testing.T) { u, _ := url.Parse("file:///test") - c := NewClient(u, true) + c := NewClient(u, nil) assert.IsType(t, &FilesystemClient{}, c) u, _ = url.Parse("https://test.com/lfs") - c = NewClient(u, true) + c = NewClient(u, nil) assert.IsType(t, &HTTPClient{}, c) } diff --git a/modules/lfs/http_client.go b/modules/lfs/http_client.go index 5df5ed33a9..a1a3e7f363 100644 --- a/modules/lfs/http_client.go +++ b/modules/lfs/http_client.go @@ -7,7 +7,6 @@ package lfs import ( "bytes" "context" - "crypto/tls" "errors" "fmt" "net/http" @@ -34,12 +33,15 @@ func (c *HTTPClient) BatchSize() int { return batchSize } -func newHTTPClient(endpoint *url.URL, skipTLSVerify bool) *HTTPClient { +func newHTTPClient(endpoint *url.URL, httpTransport *http.Transport) *HTTPClient { + if httpTransport == nil { + httpTransport = &http.Transport{ + Proxy: proxy.Proxy(), + } + } + hc := &http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSVerify}, - Proxy: proxy.Proxy(), - }, + Transport: httpTransport, } client := &HTTPClient{ |