git: Don't use '*' wildcard with curl (!5037) · Merge requests · GitLab.org / gitaly

Karthik Nayak requested to merge 4607-fix-fips-curl-issue into master Nov 10, 2022

We are using the '*' wildcard for populating the CURLOPT_RESOLVE option with an entry *:$port:$resolved_ip. This is done to pre-resolve DNS names and prevent DNS rebinding issues.

The problem is that the wildcard support in curl was only added in v7.64 and newer. Our FIPS build images use curl v7.61 though, and thus curl's pre-populated cache entry is not used at all. Consequentially, the vulnerability still exists on such systems.

Lets directly use the hostname instead to ensure we cover all versions of curl.

Closes #4607 (closed)

git: Don't use '*' wildcard with curl

Merge request reports