Use `hostmatcher` to replace `matchlist`, improve security (#17605)

Use hostmacher to replace matchlist.

And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.

1 files changed, 5 insertions, 3 deletions

diff --git a/services/migrations/migrate_test.go b/services/migrations/migrate_test.go
index 325064697e..e2363242a2 100644
--- a/services/migrations/migrate_test.go
+++ b/services/migrations/migrate_test.go
@@ -21,7 +21,8 @@ func TestMigrateWhiteBlocklist(t *testing.T) {
 	adminUser := unittest.AssertExistsAndLoadBean(t, &models.User{Name: "user1"}).(*models.User)
 	nonAdminUser := unittest.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)
 
-	setting.Migrations.AllowedDomains = []string{"github.com"}
+	setting.Migrations.AllowedDomains = "github.com"
+	setting.Migrations.AllowLocalNetworks = false
 	assert.NoError(t, Init())
 
 	err := IsMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git", nonAdminUser)
@@ -33,8 +34,8 @@ func TestMigrateWhiteBlocklist(t *testing.T) {
 	err = IsMigrateURLAllowed("https://gITHUb.com/go-gitea/gitea.git", nonAdminUser)
 	assert.NoError(t, err)
 
-	setting.Migrations.AllowedDomains = []string{}
-	setting.Migrations.BlockedDomains = []string{"github.com"}
+	setting.Migrations.AllowedDomains = ""
+	setting.Migrations.BlockedDomains = "github.com"
 	assert.NoError(t, Init())
 
 	err = IsMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git", nonAdminUser)
@@ -47,6 +48,7 @@ func TestMigrateWhiteBlocklist(t *testing.T) {
 	assert.Error(t, err)
 
 	setting.Migrations.AllowLocalNetworks = true
+	assert.NoError(t, Init())
 	err = IsMigrateURLAllowed("https://10.0.0.1/go-gitea/gitea.git", nonAdminUser)
 	assert.NoError(t, err)