DNS rebinding protection does not work properly in Ruby 3.1
In a Rails console in the GDK, this fails:
[1] pry(main)> Gitlab::HTTP.get('https://gitlab.com')
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=172.65.251.78:443 state=error: sslv3 alert handshake failure
from /Users/stanhu/.asdf/installs/ruby/3.1.4/lib/ruby/gems/3.1.0/gems/net-protocol-0.1.3/lib/net/protocol.rb:47:in `connect_nonblock'
It appears this fails because of https://github.com/ruby/net-http/pull/36. Since DNS rebinding changed the hostname to an IP address, s.hostname
is not set (https://github.com/ruby/net-http/pull/36/files#diff-a1d29a94def02829fd4f9ba591199acf079e028f5a2002a77c363eb01212e112R1060), so SNI isn't attempted. It appears the connection fails before the transport even begins, so config/initializers/http_hostname_override.rb
doesn't get to run.
Edited by Stan Hu