Update net-protocol to v0.2.2

Stan Hurequested to merge
sh-update-net-protocol into master

What does this MR do and why?

The monkey patches for Net::BufferedIO were extracted to the gitlab-http gem in !125024 (merged), and the gem handles the #readuntil changes for v0.2.2.

Now that Ruby 3.3 and up ship with net-protocol v0.2.1 and up, we should update to this version.

Diff: https://my.diffend.io/gems/net-protocol/0.1.2/0.2.2

References

Relates to #392378

How to validate locally

To test the net-protocol mitigations still work:

  1. Check out this branch.
  2. In Admin -> Network -> Outbound requests, click on Allow requests to the local network from webhooks and integrations.
  3. Click Save changes.
  4. In one terminal, spin up netcat by running: nc -k -l 9999
  5. In bin/rails console: run Gitlab::HTTP.get('http://127.0.0.1:9999').
  6. In the netcat terminal, response:
HTTP/1.1 200 OK
  1. In the same terminal, start typing slowly, one character every few seconds.
  2. Eventually you should see the client give up:
[3] pry(main)> Gitlab::HTTP.get('http://127.0.0.1:9999')
Errno::ECONNREFUSED: Failed to open TCP connection to 127.0.0.1:9999 (Connection refused - connect(2) for "127.0.0.1" port 9999)

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Stan Hu

Merge request reports