forgejo/modules/hostmatcher/http.go

// Copyright 2021 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package hostmatcher

import (
	"context"
	"fmt"
	"net"
	"net/url"
	"syscall"
	"time"
)

// NewDialContext returns a DialContext for Transport, the DialContext will do allow/block list check
func NewDialContext(usage string, allowList, blockList *HostMatchList, proxy *url.URL) func(ctx context.Context, network, addr string) (net.Conn, error) {
	// How Go HTTP Client works with redirection:
	//   transport.RoundTrip URL=http://domain.com, Host=domain.com
	//   transport.DialContext addrOrHost=domain.com:80
	//   dialer.Control tcp4:11.22.33.44:80
	//   transport.RoundTrip URL=http://www.domain.com/, Host=(empty here, in the direction, HTTP client doesn't fill the Host field)
	//   transport.DialContext addrOrHost=domain.com:80
	//   dialer.Control tcp4:11.22.33.44:80
	return func(ctx context.Context, network, addrOrHost string) (net.Conn, error) {
		dialer := net.Dialer{
			// default values comes from http.DefaultTransport
			Timeout:   30 * time.Second,
			KeepAlive: 30 * time.Second,

			Control: func(network, ipAddr string, c syscall.RawConn) error {
				host, port, err := net.SplitHostPort(addrOrHost)
				if err != nil {
					return err
				}
				if proxy != nil {
					// Always allow the host of the proxy, but only on the specified port.
					if host == proxy.Hostname() && port == proxy.Port() {
						return nil
					}
				}

				// in Control func, the addr was already resolved to IP:PORT format, there is no cost to do ResolveTCPAddr here
				tcpAddr, err := net.ResolveTCPAddr(network, ipAddr)
				if err != nil {
					return fmt.Errorf("%s can only call HTTP servers via TCP, deny '%s(%s:%s)', err=%w", usage, host, network, ipAddr, err)
				}

				var blockedError error
				if blockList.MatchHostOrIP(host, tcpAddr.IP) {
					blockedError = fmt.Errorf("%s can not call blocked HTTP servers (check your %s setting), deny '%s(%s)'", usage, blockList.SettingKeyHint, host, ipAddr)
				}

				// if we have an allow-list, check the allow-list first
				if !allowList.IsEmpty() {
					if !allowList.MatchHostOrIP(host, tcpAddr.IP) {
						return fmt.Errorf("%s can only call allowed HTTP servers (check your %s setting), deny '%s(%s)'", usage, allowList.SettingKeyHint, host, ipAddr)
					}
				}
				// otherwise, we always follow the blocked list
				return blockedError
			},
		}
		return dialer.DialContext(ctx, network, addrOrHost)
	}
}
Use `hostmatcher` to replace `matchlist`, improve security (#17605) Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection. 2021-11-20 12:34:05 +03:00			`// Copyright 2021 The Gitea Authors. All rights reserved.`
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com> 2022-11-27 21:20:29 +03:00			`// SPDX-License-Identifier: MIT`
Use `hostmatcher` to replace `matchlist`, improve security (#17605) Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection. 2021-11-20 12:34:05 +03:00
			`package hostmatcher`

			`import (`
			`"context"`
			`"fmt"`
			`"net"`
Support allowed hosts for webhook to work with proxy (#27655) When `webhook.PROXY_URL` has been set, the old code will check if the proxy host is in `ALLOWED_HOST_LIST` or reject requests through the proxy. It requires users to add the proxy host to `ALLOWED_HOST_LIST`. However, it actually allows all requests to any port on the host, when the proxy host is probably an internal address. But things may be even worse. `ALLOWED_HOST_LIST` doesn't really work when requests are sent to the allowed proxy, and the proxy could forward them to any hosts. This PR fixes it by: - If the proxy has been set, always allow connectioins to the host and port. - Check `ALLOWED_HOST_LIST` before forwarding. 2023-10-18 12:44:36 +03:00			`"net/url"`
Use `hostmatcher` to replace `matchlist`, improve security (#17605) Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection. 2021-11-20 12:34:05 +03:00			`"syscall"`
			`"time"`
			`)`

			`// NewDialContext returns a DialContext for Transport, the DialContext will do allow/block list check`
Support allowed hosts for migrations to work with proxy (#32025) (cherry picked from commit 125679f2e14cdc8a26a147f7e8fd0e5f174fb5cb) 2024-09-11 08:47:00 +03:00			`func NewDialContext(usage string, allowList, blockList HostMatchList, proxy url.URL) func(ctx context.Context, network, addr string) (net.Conn, error) {`
Use `hostmatcher` to replace `matchlist`, improve security (#17605) Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection. 2021-11-20 12:34:05 +03:00			`// How Go HTTP Client works with redirection:`
			`// transport.RoundTrip URL=http://domain.com, Host=domain.com`
			`// transport.DialContext addrOrHost=domain.com:80`
			`// dialer.Control tcp4:11.22.33.44:80`
			`// transport.RoundTrip URL=http://www.domain.com/, Host=(empty here, in the direction, HTTP client doesn't fill the Host field)`
			`// transport.DialContext addrOrHost=domain.com:80`
			`// dialer.Control tcp4:11.22.33.44:80`
			`return func(ctx context.Context, network, addrOrHost string) (net.Conn, error) {`
			`dialer := net.Dialer{`
			`// default values comes from http.DefaultTransport`
			`Timeout: 30 * time.Second,`
			`KeepAlive: 30 * time.Second,`

Support allowed hosts for webhook to work with proxy (#27655) When `webhook.PROXY_URL` has been set, the old code will check if the proxy host is in `ALLOWED_HOST_LIST` or reject requests through the proxy. It requires users to add the proxy host to `ALLOWED_HOST_LIST`. However, it actually allows all requests to any port on the host, when the proxy host is probably an internal address. But things may be even worse. `ALLOWED_HOST_LIST` doesn't really work when requests are sent to the allowed proxy, and the proxy could forward them to any hosts. This PR fixes it by: - If the proxy has been set, always allow connectioins to the host and port. - Check `ALLOWED_HOST_LIST` before forwarding. 2023-10-18 12:44:36 +03:00			`Control: func(network, ipAddr string, c syscall.RawConn) error {`
			`host, port, err := net.SplitHostPort(addrOrHost)`
			`if err != nil {`
Use `hostmatcher` to replace `matchlist`, improve security (#17605) Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection. 2021-11-20 12:34:05 +03:00			`return err`
			`}`
Support allowed hosts for webhook to work with proxy (#27655) When `webhook.PROXY_URL` has been set, the old code will check if the proxy host is in `ALLOWED_HOST_LIST` or reject requests through the proxy. It requires users to add the proxy host to `ALLOWED_HOST_LIST`. However, it actually allows all requests to any port on the host, when the proxy host is probably an internal address. But things may be even worse. `ALLOWED_HOST_LIST` doesn't really work when requests are sent to the allowed proxy, and the proxy could forward them to any hosts. This PR fixes it by: - If the proxy has been set, always allow connectioins to the host and port. - Check `ALLOWED_HOST_LIST` before forwarding. 2023-10-18 12:44:36 +03:00			`if proxy != nil {`
			`// Always allow the host of the proxy, but only on the specified port.`
			`if host == proxy.Hostname() && port == proxy.Port() {`
			`return nil`
			`}`
			`}`

Use `hostmatcher` to replace `matchlist`, improve security (#17605) Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection. 2021-11-20 12:34:05 +03:00			`// in Control func, the addr was already resolved to IP:PORT format, there is no cost to do ResolveTCPAddr here`
			`tcpAddr, err := net.ResolveTCPAddr(network, ipAddr)`
			`if err != nil {`
Replace all instances of fmt.Errorf(%v) with fmt.Errorf(%w) (#21551) Found using `find . -type f -name '.go' -print -exec vim {} -c ':%s/fmt\.Errorf(\(.\)%v\(.*\)err/fmt.Errorf(\1%w\2err/g' -c ':wq' \;` Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Andrew Thornton <art27@cantab.net> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> 2022-10-24 22:29:17 +03:00			`return fmt.Errorf("%s can only call HTTP servers via TCP, deny '%s(%s:%s)', err=%w", usage, host, network, ipAddr, err)`
Use `hostmatcher` to replace `matchlist`, improve security (#17605) Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection. 2021-11-20 12:34:05 +03:00			`}`

			`var blockedError error`
			`if blockList.MatchHostOrIP(host, tcpAddr.IP) {`
			`blockedError = fmt.Errorf("%s can not call blocked HTTP servers (check your %s setting), deny '%s(%s)'", usage, blockList.SettingKeyHint, host, ipAddr)`
			`}`

			`// if we have an allow-list, check the allow-list first`
			`if !allowList.IsEmpty() {`
			`if !allowList.MatchHostOrIP(host, tcpAddr.IP) {`
			`return fmt.Errorf("%s can only call allowed HTTP servers (check your %s setting), deny '%s(%s)'", usage, allowList.SettingKeyHint, host, ipAddr)`
			`}`
			`}`
			`// otherwise, we always follow the blocked list`
			`return blockedError`
			`},`
			`}`
			`return dialer.DialContext(ctx, network, addrOrHost)`
			`}`
			`}`