Commit aa727434 authored by Stan Hu's avatar Stan Hu

Merge branch 'fix-invalid-x-forwarded-for-ip' into 'master'

Ignore invalid IPs in X-Forwarded-For when trusted proxies are configured.

## What does this MR do?

Catches IPAddr::InvalidAddressError exceptions in `trusted_proxy?` when a) a trusted proxy is set up in the gitlab config and b) an invalid IP address is passed to the method (e.g. one with a port attached). When caught, returns `false` from the method. Prevents a 500 error in this situation.

## What are the relevant issue numbers?

Closes gitlab-org/gitlab-ce#20466.

## Does this MR meet the acceptance criteria?

- [X] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [N/A] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [N/A] API support added
- Tests
  - [X] Added for this feature/bug
  - [X] All builds are passing
- [X] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [X] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [X] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !5584
parents e299504b c9ce36e8
...@@ -40,6 +40,7 @@ v 8.11.0 (unreleased) ...@@ -40,6 +40,7 @@ v 8.11.0 (unreleased)
v 8.10.3 (unreleased) v 8.10.3 (unreleased)
- Fix hooks missing on imported GitLab projects - Fix hooks missing on imported GitLab projects
- Properly abort a merge when merge conflicts occur - Properly abort a merge when merge conflicts occur
- Ignore invalid IPs in X-Forwarded-For when trusted proxies are configured.
v 8.10.2 v 8.10.2
- User can now search branches by name. !5144 - User can now search branches by name. !5144
......
...@@ -7,6 +7,8 @@ module Rack ...@@ -7,6 +7,8 @@ module Rack
class Request class Request
def trusted_proxy?(ip) def trusted_proxy?(ip)
Rails.application.config.action_dispatch.trusted_proxies.any? { |proxy| proxy === ip } Rails.application.config.action_dispatch.trusted_proxies.any? { |proxy| proxy === ip }
rescue IPAddr::InvalidAddressError
false
end end
end end
end end
......
...@@ -47,6 +47,12 @@ describe 'trusted_proxies', lib: true do ...@@ -47,6 +47,12 @@ describe 'trusted_proxies', lib: true do
expect(request.remote_ip).to eq('1.1.1.1') expect(request.remote_ip).to eq('1.1.1.1')
expect(request.ip).to eq('1.1.1.1') expect(request.ip).to eq('1.1.1.1')
end end
it 'handles invalid ip addresses' do
request = stub_request('HTTP_X_FORWARDED_FOR' => '(null), 1.1.1.1:12345, 1.1.1.1')
expect(request.remote_ip).to eq('1.1.1.1')
expect(request.ip).to eq('1.1.1.1')
end
end end
def stub_request(headers = {}) def stub_request(headers = {})
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment