Gitlab::HTTP_V2::UrlAllowlist#ip_allowed? doesn't respect Gitlab::CurrentSettings.outbound_local_requests_whitelist
Summary
Gitlab::UrlBlockers::UrlAllowlist
would load rely on Gitlab::CurrentSettings.outbound_local_requests_whitelist
by default. Gitlab::HTTP_V2::UrlAllowlist
expects the allow-list to be provided as an argument.
This MR migrated several classes from the Gitlab::UrlBlocker
to Gitlab::HTTP_V2::UrlBlocker
. As far as I can tell, any of these usages that don't explicitly pass the allow-list as an argument to UrlBlocker will block local network requests, even if the address is in the allow-list.
Steps to reproduce
- Set up an external gitea (or really anything that will serve repos over HTTP(S)) instance on your local network.
- Create a repository on that instance.
- Configure your instance Network settings with the following, replacing the displayed IP with your network instance.
- Navigate to
/projects/new#import_project
and attempt to import your project by URL.
What is the current bug behavior?
After attempting the import, you receive the message 'Import url is blocked: Requests to the local network are not allowed.'
What is the expected correct behavior?
The project should successfully import.
Possible fixes
I think we can either:
- Update callers to provide the allow-list from the settings where appropriate.
- Update the V2 class to read the application setting and either merge or overwrite it with any provided arguments.