Gitlab::HTTP_V2::UrlAllowlist#ip_allowed? doesn't respect Gitlab::CurrentSettings.outbound_local_requests_whitelist

Summary

Gitlab::UrlBlockers::UrlAllowlist would load rely on Gitlab::CurrentSettings.outbound_local_requests_whitelist by default. Gitlab::HTTP_V2::UrlAllowlist expects the allow-list to be provided as an argument.

This MR migrated several classes from the Gitlab::UrlBlocker to Gitlab::HTTP_V2::UrlBlocker. As far as I can tell, any of these usages that don't explicitly pass the allow-list as an argument to UrlBlocker will block local network requests, even if the address is in the allow-list.

Steps to reproduce

  1. Set up an external gitea (or really anything that will serve repos over HTTP(S)) instance on your local network.
  2. Create a repository on that instance.
  3. Configure your instance Network settings with the following, replacing the displayed IP with your network instance.

CleanShot_2024-01-26_at_11.53.06_2x

  1. Navigate to /projects/new#import_project and attempt to import your project by URL.

What is the current bug behavior?

After attempting the import, you receive the message 'Import url is blocked: Requests to the local network are not allowed.'

What is the expected correct behavior?

The project should successfully import.

Possible fixes

I think we can either:

  1. Update callers to provide the allow-list from the settings where appropriate.
  2. Update the V2 class to read the application setting and either merge or overwrite it with any provided arguments.