Use hostmatcher to replace matchlist, improve security (#17605)

Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
2025-06-02 10:12:11 +08:00 · 2021-11-20 17:34:05 +08:00
parent c96be0cd98
commit 013fb73068
33 changed files with 377 additions and 293 deletions
--- a/services/migrations/http_client.go
+++ b/services/migrations/http_client.go
@ -0,0 +1,30 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"crypto/tls"
+	"net/http"
+
+	"code.gitea.io/gitea/modules/hostmatcher"
+	"code.gitea.io/gitea/modules/proxy"
+	"code.gitea.io/gitea/modules/setting"
+)
+
+// NewMigrationHTTPClient returns a HTTP client for migration
+func NewMigrationHTTPClient() *http.Client {
+	return &http.Client{
+		Transport: NewMigrationHTTPTransport(),
+	}
+}
+
+// NewMigrationHTTPTransport returns a HTTP transport for migration
+func NewMigrationHTTPTransport() *http.Transport {
+	return &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: setting.Migrations.SkipTLSVerify},
+		Proxy:           proxy.Proxy(),
+		DialContext:     hostmatcher.NewDialContext("migration", allowList, blockList),
+	}
+}