Only allow webhook to send requests to allowed hosts (#17482)

author: wxiaoguang <wxiaoguang@gmail.com> 2021-11-01 16:39:52 +0800
committer: GitHub <noreply@github.com> 2021-11-01 16:39:52 +0800
commit: 599ff1c054e436daa4dc3f049aa8661d9c2395f9 (patch)
tree: 800983fd2e9d9de3dd1977738d18b64df34dd9ea /modules/migrations/migrate.go
parent: 4e8a81780ed4ff0423e3a2ac7f75265e362ca46d (diff)
download: gitea-599ff1c054e436daa4dc3f049aa8661d9c2395f9.tar.gz
gitea-599ff1c054e436daa4dc3f049aa8661d9c2395f9.zip
1 files changed, 1 insertions, 11 deletions
diff --git a/modules/migrations/migrate.go b/modules/migrations/migrate.go
index c5d78fba73..dbe69259f4 100644
--- a/modules/migrations/migrate.go
+++ b/modules/migrations/migrate.go
@@ -89,7 +89,7 @@ func IsMigrateURLAllowed(remoteURL string, doer *models.User) error {
 			return &models.ErrInvalidCloneAddr{Host: u.Host, NotResolvedIP: true}
 		}
 		for _, addr := range addrList {
-			if isIPPrivate(addr) || !addr.IsGlobalUnicast() {
+			if util.IsIPPrivate(addr) || !addr.IsGlobalUnicast() {
 				return &models.ErrInvalidCloneAddr{Host: u.Host, PrivateNet: addr.String(), IsPermissionDenied: true}
 			}
 		}
@@ -474,13 +474,3 @@ func Init() error {
 
 	return nil
 }
-
-// TODO: replace with `ip.IsPrivate()` if min go version is bumped to 1.17
-func isIPPrivate(ip net.IP) bool {
-	if ip4 := ip.To4(); ip4 != nil {
-		return ip4[0] == 10 ||
-			(ip4[0] == 172 && ip4[1]&0xf0 == 16) ||
-			(ip4[0] == 192 && ip4[1] == 168)
-	}
-	return len(ip) == net.IPv6len && ip[0]&0xfe == 0xfc
-}
author	wxiaoguang <wxiaoguang@gmail.com>	2021-11-01 16:39:52 +0800
committer	GitHub <noreply@github.com>	2021-11-01 16:39:52 +0800
commit	599ff1c054e436daa4dc3f049aa8661d9c2395f9 (patch)
tree	800983fd2e9d9de3dd1977738d18b64df34dd9ea /modules/migrations/migrate.go
parent	4e8a81780ed4ff0423e3a2ac7f75265e362ca46d (diff)
download	gitea-599ff1c054e436daa4dc3f049aa8661d9c2395f9.tar.gz gitea-599ff1c054e436daa4dc3f049aa8661d9c2395f9.zip