mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-15 05:18:46 +02:00
Addresses a batch of privately reported security issues, grouped by area: - **SSRF** - migration PR-patch/asset fetches, OAuth2 avatar & OpenID discovery, pull-mirror URL re-validation, and the outbound proxy path. - **Access-token scope** - prevent scope escalation on token creation; keep public-only tokens confined (feeds, packages, Actions listings, star/watch lists, limited/private owners). - **Access control / disclosure** - go-get default-branch leak, webhook authorization-header leak, watch clearing on private transitions, label/attachment scoping. - **Denial of service** - input bounds for npm dist-tags, Debian control files, Arch file lists, and SSH keys. ### 📌 Attention for site admins Not breaking - existing configs keep working - but two changes are worth a look: - **New SSRF protection** Outbound requests (migrations, OAuth2 avatars, OpenID discovery, pull mirrors, proxy path) are now validated against the allow/block host lists. If your instance legitimately reaches internal hosts, you may need to add them to `[security].ALLOWED_HOST_LIST` (and the relevant `ALLOW_LOCALNETWORKS` settings). - **Deprecation** `[webhook].ALLOWED_HOST_LIST` is deprecated and will be removed in a future release. Use `[security].ALLOWED_HOST_LIST` instead; the old key still works for now. --------- Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Zettat123 <zettat123@gmail.com>
82 lines
3.4 KiB
Go
82 lines
3.4 KiB
Go
// Copyright 2021 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package hostmatcher
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"net/url"
|
|
"syscall"
|
|
"time"
|
|
)
|
|
|
|
// NewDialContext returns a DialContext for Transport, the DialContext will do allow/block list check
|
|
func NewDialContext(usage string, allowList, blockList *HostMatchList, proxy *url.URL) func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
// How Go HTTP Client works with redirection:
|
|
// transport.RoundTrip URL=http://domain.com, Host=domain.com
|
|
// transport.DialContext addrOrHost=domain.com:80
|
|
// dialer.Control tcp4:11.22.33.44:80
|
|
// transport.RoundTrip URL=http://www.domain.com/, Host=(empty here, in the direction, HTTP client doesn't fill the Host field)
|
|
// transport.DialContext addrOrHost=domain.com:80
|
|
// dialer.Control tcp4:11.22.33.44:80
|
|
return func(ctx context.Context, network, addrOrHost string) (net.Conn, error) {
|
|
dialer := net.Dialer{
|
|
// default values comes from http.DefaultTransport
|
|
Timeout: 30 * time.Second,
|
|
KeepAlive: 30 * time.Second,
|
|
|
|
Control: func(network, ipAddr string, c syscall.RawConn) error {
|
|
host, port, err := net.SplitHostPort(addrOrHost)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if proxy != nil {
|
|
// Always allow the host of the proxy, but only on the specified port.
|
|
if host == proxy.Hostname() && port == proxy.Port() {
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// in Control func, the addr was already resolved to IP:PORT format, there is no cost to do ResolveTCPAddr here
|
|
tcpAddr, err := net.ResolveTCPAddr(network, ipAddr)
|
|
if err != nil {
|
|
return fmt.Errorf("%s can only call HTTP servers via TCP, deny '%s(%s:%s)', err=%w", usage, host, network, ipAddr, err)
|
|
}
|
|
|
|
var blockedError error
|
|
if blockList.MatchHostOrIP(host, tcpAddr.IP) {
|
|
blockedError = fmt.Errorf("%s can not call blocked HTTP servers (check your %s setting), deny '%s(%s)'", usage, blockList.SettingKeyHint, host, ipAddr)
|
|
}
|
|
|
|
// if we have an allow-list, check the allow-list first
|
|
if !allowList.IsEmpty() {
|
|
if !allowList.MatchHostOrIP(host, tcpAddr.IP) {
|
|
return fmt.Errorf("%s can only call allowed HTTP servers (check your %s setting), deny '%s(%s)'", usage, allowList.SettingKeyHint, host, ipAddr)
|
|
}
|
|
}
|
|
// otherwise, we always follow the blocked list
|
|
return blockedError
|
|
},
|
|
}
|
|
return dialer.DialContext(ctx, network, addrOrHost)
|
|
}
|
|
}
|
|
|
|
// NewHTTPTransport builds an http.Transport that validates the request target against the allow/block
|
|
// lists on the direct-dial path (DialContext). When an HTTP proxy is configured the proxy resolves and
|
|
// dials the target itself, so restricting the proxied target is the proxy server's responsibility, not
|
|
// Gitea's. proxyFunc selects the proxy URL per request (the http.Transport.Proxy selector, e.g.
|
|
// proxy.Proxy()); proxyURLFixed is the fixed proxy address the dialer must always permit; tlsConfig may
|
|
// be nil. blockList may be nil for callers that only maintain an allow-list.
|
|
func NewHTTPTransport(usage string, allowList, blockList *HostMatchList, proxyFunc func(*http.Request) (*url.URL, error), proxyURLFixed *url.URL, tlsConfig *tls.Config) *http.Transport {
|
|
return &http.Transport{
|
|
TLSClientConfig: tlsConfig,
|
|
Proxy: proxyFunc,
|
|
DialContext: NewDialContext(usage, allowList, blockList, proxyURLFixed),
|
|
}
|
|
}
|