From 2fd5cc2bff81ddcbce8381bb0c835d1d1717c0ed Mon Sep 17 00:00:00 2001
From: Brett Walker <brett@digitalmoksha.com>
Date: Thu, 2 Nov 2017 12:50:04 +0000
Subject: [PATCH] Geo route whitelisting is too optimistic

---
 .../3274-geo-route-whitelisting.yml           |  5 ++++
 lib/gitlab/middleware/read_only.rb            |  5 ++--
 spec/lib/gitlab/middleware/read_only_spec.rb  | 26 +++++++++++++++++++
 3 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/unreleased/3274-geo-route-whitelisting.yml

diff --git a/changelogs/unreleased/3274-geo-route-whitelisting.yml b/changelogs/unreleased/3274-geo-route-whitelisting.yml
new file mode 100644
index 00000000000..43a5af80497
--- /dev/null
+++ b/changelogs/unreleased/3274-geo-route-whitelisting.yml
@@ -0,0 +1,5 @@
+---
+title: Tighten up whitelisting of certain Geo routes
+merge_request: 15082
+author:
+type: fixed
diff --git a/lib/gitlab/middleware/read_only.rb b/lib/gitlab/middleware/read_only.rb
index 0de0cddcce4..8853dfa3d2d 100644
--- a/lib/gitlab/middleware/read_only.rb
+++ b/lib/gitlab/middleware/read_only.rb
@@ -12,6 +12,7 @@ module Gitlab
 
       def call(env)
         @env = env
+        @route_hash = nil
 
         if disallowed_request? && Gitlab::Database.read_only?
           Rails.logger.debug('GitLab ReadOnly: preventing possible non read-only operation')
@@ -77,11 +78,11 @@ module Gitlab
       end
 
       def grack_route
-        request.path.end_with?('.git/git-upload-pack')
+        route_hash[:controller] == 'projects/git_http' && route_hash[:action] == 'git_upload_pack'
       end
 
       def lfs_route
-        request.path.end_with?('/info/lfs/objects/batch')
+        route_hash[:controller] == 'projects/lfs_api' && route_hash[:action] == 'batch'
       end
     end
   end
diff --git a/spec/lib/gitlab/middleware/read_only_spec.rb b/spec/lib/gitlab/middleware/read_only_spec.rb
index 742a792a1af..86be06ff595 100644
--- a/spec/lib/gitlab/middleware/read_only_spec.rb
+++ b/spec/lib/gitlab/middleware/read_only_spec.rb
@@ -83,6 +83,13 @@ describe Gitlab::Middleware::ReadOnly do
       expect(subject).to disallow_request
     end
 
+    it 'expects POST of new file that looks like an LFS batch url to be disallowed' do
+      response = request.post('/root/gitlab-ce/new/master/app/info/lfs/objects/batch')
+
+      expect(response).to be_a_redirect
+      expect(subject).to disallow_request
+    end
+
     context 'whitelisted requests' do
       it 'expects DELETE request to logout to be allowed' do
         response = request.delete('/users/sign_out')
@@ -104,6 +111,25 @@ describe Gitlab::Middleware::ReadOnly do
         expect(response).not_to be_a_redirect
         expect(subject).not_to disallow_request
       end
+
+      it 'expects a POST request to git-upload-pack URL to be allowed' do
+        response = request.post('/root/rouge.git/git-upload-pack')
+
+        expect(response).not_to be_a_redirect
+        expect(subject).not_to disallow_request
+      end
+
+      it 'expects requests to sidekiq admin to be allowed' do
+        response = request.post('/admin/sidekiq')
+
+        expect(response).not_to be_a_redirect
+        expect(subject).not_to disallow_request
+
+        response = request.get('/admin/sidekiq')
+
+        expect(response).not_to be_a_redirect
+        expect(subject).not_to disallow_request
+      end
     end
   end