[15.11] Fix no_proxy not working when DNS rebinding protection enabled
What does this MR do and why?
This backports !120412 (merged) to 15-11-stable-ee
.
When a URL request is made, the Gitlab::UrlBlocker
validates whether
the request should be allowed to proceed and returns the URI and
hostname that should be used to connect to the URL.
In GitLab 15.11,
!115343 (merged)
re-introduced the skipping DNS rebinding checks if a proxy server is
enabled. It also carved out an exception for the no_proxy setting: if
the URL is configured to bypass a proxy, UrlBlocker
would allow the
DNS rebinding protection to go ahead. DNS rebinding protection
resolves the hostname to the IP address before the request is
initiated.
When the HTTP request were initiated, the Net::HTTP
request would
compare the resolved IP against the no_proxy
list. If the IP address
did not match any entries in no_proxy
, the request would be
erroneously be routed to the proxy server.
This change fixes the issue of no_proxy
being ignored by returning a
boolean, us_proxy
, in UrlBlocker
. If false
, this tells the
caller whether the proxy should be disabled, since the UrlBlocker
normally does the necessary checks to determine whether a proxy should
be used. This commit also refactors the return value to use a Struct.
Relates to #410636 (closed)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
This MR is backporting a bug fix, documentation update, or spec fix, previously merged in the default branch. -
The original MR has been deployed to GitLab.com (not applicable for documentation or spec changes). -
This MR has a severity label assigned (if applicable). -
This MR has been approved by a maintainer (only one approval is required). -
Ensure the e2e:package-and-test-ee
job has either succeeded or been approved by a Software Engineer in Test.
Note to the merge request author and maintainer
If you have questions about the patch release process, please:
- Refer to the patch release runbook for engineers and maintainers for guidance.
- Ask questions on the
#releases
Slack channel (internal only).