From 013fb73068281b45b33c72abaae0c42c8d79c499 Mon Sep 17 00:00:00 2001 From: wxiaoguang Date: Sat, 20 Nov 2021 17:34:05 +0800 Subject: Use `hostmatcher` to replace `matchlist`, improve security (#17605) Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection. --- routers/api/v1/repo/migrate.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'routers/api/v1') diff --git a/routers/api/v1/repo/migrate.go b/routers/api/v1/repo/migrate.go index 1880a88367..767972ee98 100644 --- a/routers/api/v1/repo/migrate.go +++ b/routers/api/v1/repo/migrate.go @@ -253,10 +253,8 @@ func handleRemoteAddrError(ctx *context.APIContext, err error) { case addrErr.IsPermissionDenied: if addrErr.LocalPath { ctx.Error(http.StatusUnprocessableEntity, "", "You are not allowed to import local repositories.") - } else if len(addrErr.PrivateNet) == 0 { - ctx.Error(http.StatusUnprocessableEntity, "", "You are not allowed to import from blocked hosts.") } else { - ctx.Error(http.StatusUnprocessableEntity, "", "You are not allowed to import from private IPs.") + ctx.Error(http.StatusUnprocessableEntity, "", "You can not import from disallowed hosts.") } case addrErr.IsInvalidPath: ctx.Error(http.StatusUnprocessableEntity, "", "Invalid local path, it does not exist or not a directory.") -- cgit v1.2.3