Add limited broadcast addr to local network block list in UrlBlocker
What does this MR do and why?
Fulfils 255.255.255.255 IP address should be blocked (#337796 - closed).
UrlBlocker protects GitLab and its users from attacks such as
Server Side Request Forgery and DNS Rebind attacks.
255.255.255.255 is the "limited broadcast address", which is used to
make requests to all hosts on a local physical network 1. Properly
configured routers won't route it. Historically it was used to wake up
offline PCs on a LAN which, since they were asleep, didn't have IP
addresses 2.
Until now, setting allow_local_network had no effect on blocking
255.255.255.255, whether true or false. Now, when
allow_local_network is set to false 255.255.255.255 is
blocked through the introduction of a check named
validate_limited_broadcast_address.
While UrlBLocker defaults allow_local_network to true, in
practice it is almost always false because of a convention to
use the GitLab configuration option which defaults to false.
If a GitLab administrator still wants to reach 255.255.255.255,
it can be added explicitly in the Allow List 3.
There is no reason a GitLab user would want to reach this, but it could potentially be misused if an attacker finds a component vulnerable to DNS rebinding, for example.
This commit aims to fulfil #337796 (closed)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR. Yes, except for: -
I have considered using a feature flag for this change because the change may be high risk. - This does not need a feature flag because
allow_local_networkis set totrueby default inUrlBlockerand so this added blocking condition won't be checked. - When
allow_local_networkis set to false, an admin would expect255.255.255.255to be blocked, and so this shouldn't need a feature flag.
- This does not need a feature flag because
-
I have informed the Infrastructure department of a default setting or new setting change per definition of done, or decided that this is unnecessary. - This is unnecessary because the defaults are not changing
-