Skip to content

Don't attempt to resolve IPs when validating URLs during ApplicationSetting updates

Currently if an ApplicationSetting is updated:

  1. For each URL that is active, the URL validator attempts to call UrlBlocker (https://gitlab.com/gitlab-org/gitlab/-/blob/6ce882c12aea1dd10983c25565daa95f9214c3a3/app/validators/addressable_url_validator.rb#L89).
  2. UrlBlocker attempts to resolve the IP to ensure it is allowed: https://gitlab.com/gitlab-org/gitlab/-/blob/6ce882c12aea1dd10983c25565daa95f9214c3a3/gems/gitlab-http/lib/gitlab/http_v2/url_blocker.rb#L196-209

However, in a GitLab instance disconnected from the Internet, this can result in save errors:

→ Help page documentation base url is blocked: execution expired
→ Diagramsnet url is blocked: execution expired
→ Public runner releases url is blocked: execution expired

This has even happened to people setting up their GDK for some reason.

I think it's fine to validate that the URL is the correct form (e.g. https://foo.example.com), but I don't see why we need to resolve the address during validation.

I propose we drop this IP lookup during saving of ApplicationSetting.

These are the URLs that would be affected:

% git grep validates app/models/application_setting.rb | grep _url
app/models/application_setting.rb:  validates :grafana_url,
app/models/application_setting.rb:  validates :home_page_url,
app/models/application_setting.rb:  validates :help_page_support_url,
app/models/application_setting.rb:  validates :help_page_documentation_base_url,
app/models/application_setting.rb:  validates :kroki_url, presence: { if: :kroki_enabled }
app/models/application_setting.rb:  validates :plantuml_url, presence: true, if: :plantuml_enabled
app/models/application_setting.rb:  validates :sourcegraph_url, presence: true, if: :sourcegraph_enabled
app/models/application_setting.rb:  validates :diagramsnet_url,
app/models/application_setting.rb:  validates :gitpod_url,
app/models/application_setting.rb:  validates :asset_proxy_url,
app/models/application_setting.rb:  validates :static_objects_external_storage_url,
app/models/application_setting.rb:  validates :external_authorization_service_url,
app/models/application_setting.rb:  validates :spam_check_endpoint_url,
app/models/application_setting.rb:  validates :spam_check_endpoint_url,
app/models/application_setting.rb:  validates :jira_connect_proxy_url,
app/models/application_setting.rb:  validates :external_pipeline_validation_service_url,
app/models/application_setting.rb:  validates :error_tracking_api_url,
app/models/application_setting.rb:  validates :public_runner_releases_url,