Use `hostmatcher` to replace `matchlist`, improve security (#17605)

Use hostmacher to replace matchlist.

And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.

2 files changed, 6 insertions, 18 deletions

diff --git a/modules/setting/migrations.go b/modules/setting/migrations.go
index b663b52f89..34d9037275 100644
--- a/modules/setting/migrations.go
+++ b/modules/setting/migrations.go
@@ -4,17 +4,13 @@
 
 package setting
 
-import (
-	"strings"
-)
-
 var (
 	// Migrations settings
 	Migrations = struct {
 		MaxAttempts        int
 		RetryBackoff       int
-		AllowedDomains     []string
-		BlockedDomains     []string
+		AllowedDomains     string
+		BlockedDomains     string
 		AllowLocalNetworks bool
 		SkipTLSVerify      bool
 	}{
@@ -28,15 +24,8 @@ func newMigrationsService() {
 	Migrations.MaxAttempts = sec.Key("MAX_ATTEMPTS").MustInt(Migrations.MaxAttempts)
 	Migrations.RetryBackoff = sec.Key("RETRY_BACKOFF").MustInt(Migrations.RetryBackoff)
 
-	Migrations.AllowedDomains = sec.Key("ALLOWED_DOMAINS").Strings(",")
-	for i := range Migrations.AllowedDomains {
-		Migrations.AllowedDomains[i] = strings.ToLower(Migrations.AllowedDomains[i])
-	}
-	Migrations.BlockedDomains = sec.Key("BLOCKED_DOMAINS").Strings(",")
-	for i := range Migrations.BlockedDomains {
-		Migrations.BlockedDomains[i] = strings.ToLower(Migrations.BlockedDomains[i])
-	}
-
+	Migrations.AllowedDomains = sec.Key("ALLOWED_DOMAINS").MustString("")
+	Migrations.BlockedDomains = sec.Key("BLOCKED_DOMAINS").MustString("")
 	Migrations.AllowLocalNetworks = sec.Key("ALLOW_LOCALNETWORKS").MustBool(false)
 	Migrations.SkipTLSVerify = sec.Key("SKIP_TLS_VERIFY").MustBool(false)
 }
diff --git a/modules/setting/webhook.go b/modules/setting/webhook.go
index acd5bd0455..6284f397b1 100644
--- a/modules/setting/webhook.go
+++ b/modules/setting/webhook.go
@@ -7,7 +7,6 @@ package setting
 import (
 	"net/url"
 
-	"code.gitea.io/gitea/modules/hostmatcher"
 	"code.gitea.io/gitea/modules/log"
 )
 
@@ -17,7 +16,7 @@ var (
 		QueueLength     int
 		DeliverTimeout  int
 		SkipTLSVerify   bool
-		AllowedHostList *hostmatcher.HostMatchList
+		AllowedHostList string
 		Types           []string
 		PagingNum       int
 		ProxyURL        string
@@ -38,7 +37,7 @@ func newWebhookService() {
 	Webhook.QueueLength = sec.Key("QUEUE_LENGTH").MustInt(1000)
 	Webhook.DeliverTimeout = sec.Key("DELIVER_TIMEOUT").MustInt(5)
 	Webhook.SkipTLSVerify = sec.Key("SKIP_TLS_VERIFY").MustBool()
-	Webhook.AllowedHostList = hostmatcher.ParseHostMatchList(sec.Key("ALLOWED_HOST_LIST").MustString(hostmatcher.MatchBuiltinExternal))
+	Webhook.AllowedHostList = sec.Key("ALLOWED_HOST_LIST").MustString("")
 	Webhook.Types = []string{"gitea", "gogs", "slack", "discord", "dingtalk", "telegram", "msteams", "feishu", "matrix", "wechatwork"}
 	Webhook.PagingNum = sec.Key("PAGING_NUM").MustInt(10)
 	Webhook.ProxyURL = sec.Key("PROXY_URL").MustString("")