opensource/gitea
1
0
Fork 0
mirror of https://gitcode.com/gitea/gitea.git synced 2025-06-01 15:55:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

Use hostmatcher to replace matchlist, improve security (#17605)

Browse Source 
Use hostmacher to replace matchlist.

And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
This commit is contained in:
wxiaoguang
2021-11-20 17:34:05 +08:00
committed by GitHub
parent c96be0cd98
commit 013fb73068
33 changed files with 377 additions and 293 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
routers/api/v1/repo/migrate.go
View File

@ -253,10 +253,8 @@ func handleRemoteAddrError(ctx *context.APIContext, err error) {
case addrErr.IsPermissionDenied:
if addrErr.LocalPath {
ctx.Error(http.StatusUnprocessableEntity, "", "You are not allowed to import local repositories.")
} else if len(addrErr.PrivateNet) == 0 {
ctx.Error(http.StatusUnprocessableEntity, "", "You are not allowed to import from blocked hosts.")
} else {
ctx.Error(http.StatusUnprocessableEntity, "", "You are not allowed to import from private IPs.")
ctx.Error(http.StatusUnprocessableEntity, "", "You can not import from disallowed hosts.")
}
case addrErr.IsInvalidPath:
ctx.Error(http.StatusUnprocessableEntity, "", "Invalid local path, it does not exist or not a directory.")