Skip to content

[15.11] Fix no_proxy not working when DNS rebinding protection enabled

Stan Hu requested to merge sh-fix-no-proxy-webhooks-15-11 into 15-11-stable-ee

What does this MR do and why?

This backports !120412 (merged) to 15-11-stable-ee.

When a URL request is made, the Gitlab::UrlBlocker validates whether the request should be allowed to proceed and returns the URI and hostname that should be used to connect to the URL.

In GitLab 15.11, !115343 (merged) re-introduced the skipping DNS rebinding checks if a proxy server is enabled. It also carved out an exception for the no_proxy setting: if the URL is configured to bypass a proxy, UrlBlocker would allow the DNS rebinding protection to go ahead. DNS rebinding protection resolves the hostname to the IP address before the request is initiated.

When the HTTP request were initiated, the Net::HTTP request would compare the resolved IP against the no_proxy list. If the IP address did not match any entries in no_proxy, the request would be erroneously be routed to the proxy server.

This change fixes the issue of no_proxy being ignored by returning a boolean, us_proxy, in UrlBlocker. If false, this tells the caller whether the proxy should be disabled, since the UrlBlocker normally does the necessary checks to determine whether a proxy should be used. This commit also refactors the return value to use a Struct.

Relates to #410636 (closed)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

  • This MR is backporting a bug fix, documentation update, or spec fix, previously merged in the default branch.
  • The original MR has been deployed to GitLab.com (not applicable for documentation or spec changes).
  • This MR has a severity label assigned (if applicable).
  • This MR has been approved by a maintainer (only one approval is required).
  • Ensure the e2e:package-and-test-ee job has either succeeded or been approved by a Software Engineer in Test.

Note to the merge request author and maintainer

If you have questions about the patch release process, please:

Edited by Luke Duncalfe

Merge request reports