[378267] Skip DNS rebinding checks if HTTP_PROXY present (!110842) · Merge requests · GitLab.org / GitLab

Rostyslav Safonov requested to merge rs-378267-skip-rebinding-when-http-proxy-set into master Feb 01, 2023

What does this MR do and why?

Implementation for Skip DNS rebinding protection when HTTP_PROXY environment is set.

Screenshots or screen recordings

Local test before fix.
Local test after fix.

How to set up and validate locally

Set up forward proxy locally. I used nginx docker image for that purpose and set it up on 8888 port.
Change lib/gitlab/github_import/client.rb api_endpoint, web_endpoint methods to http://api.github.com and http://github.com. Or probably you could change the github omniauth site value to an http (not https endpoint) if your proxy doesn't support https as my own.
Turn off your/proxy internet connection. It's the most simple method to fail host resolving process.

My nginx proxy config

server {

    listen 8888;

    location / {
        resolver 8.8.8.8;

        proxy_pass https://$http_host$uri$is_args$args;
        proxy_pass_request_headers on;
        proxy_pass_request_body on;
        proxy_read_timeout 2s;
    }

}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Feb 01, 2023 by Rostyslav Safonov

[378267] Skip DNS rebinding checks if HTTP_PROXY present

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports