Use `hostmatcher` to replace `matchlist`, improve security (#17605)

Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
author: wxiaoguang <wxiaoguang@gmail.com> 2021-11-20 17:34:05 +0800
committer: GitHub <noreply@github.com> 2021-11-20 17:34:05 +0800
commit: 013fb73068281b45b33c72abaae0c42c8d79c499 (patch)
tree: 5cb710ea15a6f471648ecf19e2fdfab9804cb084 /services/mirror
parent: c96be0cd982255f20a3fe6ff4683115b8073e65e (diff)
download: gitea-013fb73068281b45b33c72abaae0c42c8d79c499.tar.gz
gitea-013fb73068281b45b33c72abaae0c42c8d79c499.zip
2 files changed, 9 insertions, 9 deletions
diff --git a/services/mirror/mirror_pull.go b/services/mirror/mirror_pull.go
index 67eaa61c9c..75b235e21a 100644
--- a/services/mirror/mirror_pull.go
+++ b/services/mirror/mirror_pull.go
@@ -261,8 +261,9 @@ func runSync(ctx context.Context, m *models.Mirror) ([]*mirrorSyncResult, bool)
 
 	if m.LFS && setting.LFS.StartServer {
 		log.Trace("SyncMirrors [repo: %-v]: syncing LFS objects...", m.Repo)
-		ep := lfs.DetermineEndpoint(remoteAddr.String(), m.LFSEndpoint)
-		if err = repo_module.StoreMissingLfsObjectsInRepository(ctx, m.Repo, gitRepo, ep, false); err != nil {
+		endpoint := lfs.DetermineEndpoint(remoteAddr.String(), m.LFSEndpoint)
+		lfsClient := lfs.NewClient(endpoint, nil)
+		if err = repo_module.StoreMissingLfsObjectsInRepository(ctx, m.Repo, gitRepo, lfsClient); err != nil {
 			log.Error("Failed to synchronize LFS objects for repository: %v", err)
 		}
 	}
diff --git a/services/mirror/mirror_push.go b/services/mirror/mirror_push.go
index c1f53196e3..7e33ffed3e 100644
--- a/services/mirror/mirror_push.go
+++ b/services/mirror/mirror_push.go
@@ -8,7 +8,6 @@ import (
 	"context"
 	"errors"
 	"io"
-	"net/url"
 	"regexp"
 	"time"
 
@@ -133,8 +132,9 @@ func runPushSync(ctx context.Context, m *models.PushMirror) error {
 			}
 			defer gitRepo.Close()
 
-			ep := lfs.DetermineEndpoint(remoteAddr.String(), "")
-			if err := pushAllLFSObjects(ctx, gitRepo, ep, false); err != nil {
+			endpoint := lfs.DetermineEndpoint(remoteAddr.String(), "")
+			lfsClient := lfs.NewClient(endpoint, nil)
+			if err := pushAllLFSObjects(ctx, gitRepo, lfsClient); err != nil {
 				return util.NewURLSanitizedError(err, remoteAddr, true)
 			}
 		}
@@ -176,8 +176,7 @@ func runPushSync(ctx context.Context, m *models.PushMirror) error {
 	return nil
 }
 
-func pushAllLFSObjects(ctx context.Context, gitRepo *git.Repository, endpoint *url.URL, skipTLSVerify bool) error {
-	client := lfs.NewClient(endpoint, skipTLSVerify)
+func pushAllLFSObjects(ctx context.Context, gitRepo *git.Repository, lfsClient lfs.Client) error {
 	contentStore := lfs.NewContentStore()
 
 	pointerChan := make(chan lfs.PointerBlob)
@@ -185,7 +184,7 @@ func pushAllLFSObjects(ctx context.Context, gitRepo *git.Repository, endpoint *u
 	go lfs.SearchPointerBlobs(ctx, gitRepo, pointerChan, errChan)
 
 	uploadObjects := func(pointers []lfs.Pointer) error {
-		err := client.Upload(ctx, pointers, func(p lfs.Pointer, objectError error) (io.ReadCloser, error) {
+		err := lfsClient.Upload(ctx, pointers, func(p lfs.Pointer, objectError error) (io.ReadCloser, error) {
 			if objectError != nil {
 				return nil, objectError
 			}
@@ -219,7 +218,7 @@ func pushAllLFSObjects(ctx context.Context, gitRepo *git.Repository, endpoint *u
 		}
 
 		batch = append(batch, pointerBlob.Pointer)
-		if len(batch) >= client.BatchSize() {
+		if len(batch) >= lfsClient.BatchSize() {
 			if err := uploadObjects(batch); err != nil {
 				return err
 			}
author	wxiaoguang <wxiaoguang@gmail.com>	2021-11-20 17:34:05 +0800
committer	GitHub <noreply@github.com>	2021-11-20 17:34:05 +0800
commit	013fb73068281b45b33c72abaae0c42c8d79c499 (patch)
tree	5cb710ea15a6f471648ecf19e2fdfab9804cb084 /services/mirror
parent	c96be0cd982255f20a3fe6ff4683115b8073e65e (diff)
download	gitea-013fb73068281b45b33c72abaae0c42c8d79c499.tar.gz gitea-013fb73068281b45b33c72abaae0c42c8d79c499.zip