Skip to content

Draft: Update dependencies' Faraday use to honor GitLab network security rules

Nick Malcolm requested to merge nmalcolm-356354-faraday-adapter into master

Background

Resolves Create Faraday adapter which respects GitLab's ... (#356354 - closed)

GitLab accepts user URLs for a variety of reasons. When we can, we use Gitlab::HTTP which is secure by default and protects against SSRF and DNS Rebind attacks 1. We also use third-party ruby gems to interact with services and in these cases the gem's author determines how to initiate connections. This creates a potential for vulnerabilities 2.

This change introduces a Faraday adapter 3 that resolves a DNS record to an IP address, validates that the IP address is allowed, and then uses that resolved IP address instead of the hostname.

Any gem that does not set its own adapter (e.g. it uses Faraday.default_adapter) will use our new default adapter.

The adapter is behind a disabled-by-default development feature flag.

See Create Faraday adapter which respects GitLab's ... (#356354 - closed) for areas of code which is / might be impacted.

This is a defense-in-depth measure and is not a vulnerability fix.

TODO

  • Review by staff engineer to identify far-reaching impacts
    • e.g. Elastic, Prometheus, and other places an administrator might have configured to point at local network resources
    • To the best of my knowledge there aren't any
  • Transfer ownership to a group who can create a rollout issue, monitor during deployment, own the feature flag, etc

Breaking changes

  • To be discovered / confirmed-as-no-breaking-changes
    • Geo
    • Elastic
    • Prometheus

No breaking changes (based on specs fixed):

  • For GitHub we already used UrlBlocker, just not "correctly enough"
  • BitBucket is for cloud only, so should not have been configured with local URLs
  • (No change / FYI) BitBucket Server uses GitLab::HTTP already
  • Prometheus: uses a Google OAuth2-based-gem to fetch tokens.
    • Our Prometheus client itself already uses Gitlab::HTTP directly, so any admins who have set up local prometheus will have already needed to allowlist / allow local network requests
    • OTOH the default value for base_url is localhost:9090...?

Merge request reports