Invalid X-Forwarded-For IP 500 Crash with Trusted Proxy
This is related to #20194 (closed).
The merge request that ended up being accepted for that issue (5454) addresses invalid IPs set up as trusted proxies in the gitlab config, but doesn't address invalid IPs passed into the
trusted_proxy? method, most notably from X-Forwarded-For headers that don't consist of just IPs. In my case, the source of the invalid IP is IIS's URL Rewrite module, which is adding the port to X-Forwarded-For (so instead of 184.108.40.206 it's passing 220.127.116.11:60606).
Since the configured trusted proxies are all parsed into
gitlab_trusted_proxies, once you have a trusted proxy in the config, the
=== operator will try to parse the incoming ip to compare against it, throwing a
IPAddr::InvalidAddressError (and resultant 500 errors) if it isn't a valid IP. This doesn't present until there's a valid IP in
Gitlab.config.gitlab.trusted_proxies as the two localhost items in the default configuration remain strings.