gitlab-org--gitlab-foss/lib/gitlab/http.rb

# frozen_string_literal: true

# This class is used as a proxy for all outbounding http connection
# coming from callbacks, services and hooks. The direct use of the HTTParty
# is discouraged because it can lead to several security problems, like SSRF
# calling internal IP or services.
module Gitlab
  class HTTP
    BlockedUrlError = Class.new(StandardError)
    RedirectionTooDeep = Class.new(StandardError)

    HTTP_ERRORS = [
      SocketError, OpenSSL::SSL::SSLError, OpenSSL::OpenSSLError,
      Errno::ECONNRESET, Errno::ECONNREFUSED, Errno::EHOSTUNREACH,
      Net::OpenTimeout, Net::ReadTimeout, Gitlab::HTTP::BlockedUrlError,
      Gitlab::HTTP::RedirectionTooDeep
    ].freeze

    include HTTParty # rubocop:disable Gitlab/HTTParty

    connection_adapter HTTPConnectionAdapter

    def self.perform_request(http_method, path, options, &block)
      super
    rescue HTTParty::RedirectionTooDeep
      raise RedirectionTooDeep
    end

    def self.try_get(path, options = {}, &block)
      log_info = options.delete(:extra_log_info)
      self.get(path, options, &block)

    rescue *HTTP_ERRORS => e
      extra_info = log_info || {}
      extra_info = log_info.call(e, path, options) if log_info.respond_to?(:call)

      Gitlab::ErrorTracking.log_exception(e, extra_info)
      nil
    end
  end
end
Enable frozen string for lib/gitlab/*.rb 2018-10-22 03:00:50 -04:00			`# frozen_string_literal: true`

Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6' Server Side Request Forgery in Services and Web Hooks See merge request gitlab/gitlabhq!2337 2018-03-13 18:38:25 -04:00			`# This class is used as a proxy for all outbounding http connection`
			`# coming from callbacks, services and hooks. The direct use of the HTTParty`
			`# is discouraged because it can lead to several security problems, like SSRF`
			`# calling internal IP or services.`
			`module Gitlab`
			`class HTTP`
Raise more descriptive errors when URLs are blocked 2018-03-28 13:27:16 -04:00			`BlockedUrlError = Class.new(StandardError)`
Catch `RedirectionTooDeep` Exception in webhooks 2018-10-19 01:55:06 -04:00			`RedirectionTooDeep = Class.new(StandardError)`
Raise more descriptive errors when URLs are blocked 2018-03-28 13:27:16 -04:00
Setup Phabricator import This sets up all the basics for importing Phabricator tasks into GitLab issues. To import all tasks from a Phabricator instance into GitLab, we'll import all of them into a new project that will have its repository disabled. The import is hooked into a regular ProjectImport setup, but similar to the GitHub parallel importer takes care of all the imports itself. In this iteration, we're importing each page of tasks in a separate sidekiq job. The first thing we do when requesting a new page of tasks is schedule the next page to be imported. But to avoid deadlocks, we only allow a single job per worker type to run at the same time. For now we're only importing basic Issue information, this should be extended to richer information. 2019-04-23 10:27:01 -04:00			`HTTP_ERRORS = [`
Add OpenSSL::OpenSSLError to HTTP_ERRORS Some services can raise OpenSSL::X509::CertificateError due to an invalid SSL certificates, with OpenSSL::OpenSSLError we can handle these errors. 2019-07-05 17:05:24 -04:00			`SocketError, OpenSSL::SSL::SSLError, OpenSSL::OpenSSLError,`
			`Errno::ECONNRESET, Errno::ECONNREFUSED, Errno::EHOSTUNREACH,`
			`Net::OpenTimeout, Net::ReadTimeout, Gitlab::HTTP::BlockedUrlError,`
Setup Phabricator import This sets up all the basics for importing Phabricator tasks into GitLab issues. To import all tasks from a Phabricator instance into GitLab, we'll import all of them into a new project that will have its repository disabled. The import is hooked into a regular ProjectImport setup, but similar to the GitHub parallel importer takes care of all the imports itself. In this iteration, we're importing each page of tasks in a separate sidekiq job. The first thing we do when requesting a new page of tasks is schedule the next page to be imported. But to avoid deadlocks, we only allow a single job per worker type to run at the same time. For now we're only importing basic Issue information, this should be extended to richer information. 2019-04-23 10:27:01 -04:00			`Gitlab::HTTP::RedirectionTooDeep`
			`].freeze`

Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6' Server Side Request Forgery in Services and Web Hooks See merge request gitlab/gitlabhq!2337 2018-03-13 18:38:25 -04:00			`include HTTParty # rubocop:disable Gitlab/HTTParty`

Protect Gitlab::HTTP against DNS rebinding attack Gitlab::HTTP now resolves the hostname only once, verifies the IP is not blocked, and then uses the same IP to perform the actual request, while passing the original hostname in the `Host` header and SSL SNI field. 2019-04-21 06:03:26 -04:00			`connection_adapter HTTPConnectionAdapter`
Catch `RedirectionTooDeep` Exception in webhooks 2018-10-19 01:55:06 -04:00
			`def self.perform_request(http_method, path, options, &block)`
			`super`
			`rescue HTTParty::RedirectionTooDeep`
			`raise RedirectionTooDeep`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-03-23 14:09:25 -04:00
			`def self.try_get(path, options = {}, &block)`
			`log_info = options.delete(:extra_log_info)`
			`self.get(path, options, &block)`

			`rescue *HTTP_ERRORS => e`
			`extra_info = log_info \|\| {}`
			`extra_info = log_info.call(e, path, options) if log_info.respond_to?(:call)`

			`Gitlab::ErrorTracking.log_exception(e, extra_info)`
			`nil`
			`end`
Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6' Server Side Request Forgery in Services and Web Hooks See merge request gitlab/gitlabhq!2337 2018-03-13 18:38:25 -04:00			`end`
			`end`