Avoid dns rebinding checkings when the domain is whitelisted
Problem to solve
This issue was originated from https://gitlab.com/gitlab-org/gitlab-ce/issues/66723 and https://gitlab.com/gitlab-org/gitlab-ce/issues/66105.
There are scenarios in which the DNS rebinding checks don't adjust to the user's workflow and block requests. Maybe because the DNS is not propagated yet or because the url is pointing to an internal url (only resolvable by the private DNS server).
At the moment we can whitelist domains that can access IP addresses from the private network or even localhost. We can move this check also to the DNS checks and avoid doing them if the domain is whitelisted.
Those users that usually create automated environments or dynamic tasks that involve URLs that need to be propagated or that point to internal IP addresses.
I think the fix would be something like:
diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb index 9c35d200dcb..e8682e0c6ad 100644 --- a/lib/gitlab/url_blocker.rb +++ b/lib/gitlab/url_blocker.rb @@ -49,7 +49,7 @@ module Gitlab hostname = uri.hostname port = get_port(uri) - address_info = get_address_info(hostname, port) + address_info = get_address_info(hostname, port, dns_rebind_protection) return [uri, nil] unless address_info ip_address = ip_address(address_info) @@ -110,11 +110,14 @@ module Gitlab validate_unicode_restriction(uri) if ascii_only end - def get_address_info(hostname, port) + def get_address_info(hostname, port, dns_rebind_protection) Addrinfo.getaddrinfo(hostname, port, nil, :STREAM).map do |addr| addr.ipv6_v4mapped? ? addr.ipv6_to_ipv4 : addr end rescue SocketError + _, domain_whitelist = + Gitlab::CurrentSettings.outbound_local_requests_whitelist_arrays + return if !dns_rebind_protection || local_domain_whitelisted?(domain_whitelist, hostname) # In the test suite we use a lot of mocked urls that are either invalid or # don't exist. In order to avoid modifying a ton of tests and factories # we allow invalid urls unless the environment variable RSPEC_ALLOW_INVALID_URLS