From 013fb73068281b45b33c72abaae0c42c8d79c499 Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Sat, 20 Nov 2021 17:34:05 +0800
Subject: Use `hostmatcher` to replace `matchlist`, improve security (#17605)

Use hostmacher to replace matchlist.

And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
---
 modules/lfs/client.go      |  5 +++--
 modules/lfs/client_test.go |  4 ++--
 modules/lfs/http_client.go | 14 ++++++++------
 3 files changed, 13 insertions(+), 10 deletions(-)

(limited to 'modules/lfs')

diff --git a/modules/lfs/client.go b/modules/lfs/client.go
index 81b047c5bd..aaf61aefcf 100644
--- a/modules/lfs/client.go
+++ b/modules/lfs/client.go
@@ -7,6 +7,7 @@ package lfs
 import (
 	"context"
 	"io"
+	"net/http"
 	"net/url"
 )
 
@@ -24,9 +25,9 @@ type Client interface {
 }
 
 // NewClient creates a LFS client
-func NewClient(endpoint *url.URL, skipTLSVerify bool) Client {
+func NewClient(endpoint *url.URL, httpTransport *http.Transport) Client {
 	if endpoint.Scheme == "file" {
 		return newFilesystemClient(endpoint)
 	}
-	return newHTTPClient(endpoint, skipTLSVerify)
+	return newHTTPClient(endpoint, httpTransport)
 }
diff --git a/modules/lfs/client_test.go b/modules/lfs/client_test.go
index ee6b7a59fc..88986f06d6 100644
--- a/modules/lfs/client_test.go
+++ b/modules/lfs/client_test.go
@@ -13,10 +13,10 @@ import (
 
 func TestNewClient(t *testing.T) {
 	u, _ := url.Parse("file:///test")
-	c := NewClient(u, true)
+	c := NewClient(u, nil)
 	assert.IsType(t, &FilesystemClient{}, c)
 
 	u, _ = url.Parse("https://test.com/lfs")
-	c = NewClient(u, true)
+	c = NewClient(u, nil)
 	assert.IsType(t, &HTTPClient{}, c)
 }
diff --git a/modules/lfs/http_client.go b/modules/lfs/http_client.go
index 5df5ed33a9..a1a3e7f363 100644
--- a/modules/lfs/http_client.go
+++ b/modules/lfs/http_client.go
@@ -7,7 +7,6 @@ package lfs
 import (
 	"bytes"
 	"context"
-	"crypto/tls"
 	"errors"
 	"fmt"
 	"net/http"
@@ -34,12 +33,15 @@ func (c *HTTPClient) BatchSize() int {
 	return batchSize
 }
 
-func newHTTPClient(endpoint *url.URL, skipTLSVerify bool) *HTTPClient {
+func newHTTPClient(endpoint *url.URL, httpTransport *http.Transport) *HTTPClient {
+	if httpTransport == nil {
+		httpTransport = &http.Transport{
+			Proxy: proxy.Proxy(),
+		}
+	}
+
 	hc := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSVerify},
-			Proxy:           proxy.Proxy(),
-		},
+		Transport: httpTransport,
 	}
 
 	client := &HTTPClient{
-- 
cgit v1.2.3