Properly handle multiple X-Forwarded-For addresses in runner IP

https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24624 extracted the X-Forwarded-For address directly, but this didn't consider the case where multiple proxies are in the chain. To fix this, we use the Rails implementation to filter trusted proxies, as documented by Grape: https://github.com/ruby-grape/grape#remote-ip Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/58103
2019-02-24 08:45:00 -08:00 · 2019-02-24 08:45:00 -08:00 · d03b7bb1e0
parent c44c83c447
commit d03b7bb1e0
3 changed files with 15 additions and 1 deletions
--- a/changelogs/unreleased/sh-fix-issue-58103.yml
+++ b/changelogs/unreleased/sh-fix-issue-58103.yml
@ -0,0 +1,5 @@
+---
+title: Properly handle multiple X-Forwarded-For addresses in runner IP
+merge_request: 25511
+author:
+type: fixed
--- a/lib/api/helpers/runner.rb
+++ b/lib/api/helpers/runner.rb
@ -26,7 +26,7 @@ module API
      end

      def get_runner_ip
-        { ip_address: request.env["HTTP_X_FORWARDED_FOR"] || request.ip }
+        { ip_address: env["action_dispatch.remote_ip"].to_s || request.ip }
      end

      def current_runner
--- a/spec/requests/api/runner_spec.rb
+++ b/spec/requests/api/runner_spec.rb
@ -526,6 +526,15 @@ describe API::Runner, :clean_gitlab_redis_shared_state do
            expect(runner.reload.ip_address).to eq('123.222.123.222')
          end

+          it "handles multiple X-Forwarded-For addresses" do
+            post api('/jobs/request'),
+              params: { token: runner.token },
+              headers: { 'User-Agent' => user_agent, 'X-Forwarded-For' => '123.222.123.222, 127.0.0.1' }
+
+            expect(response).to have_gitlab_http_status 201
+            expect(runner.reload.ip_address).to eq('123.222.123.222')
+          end
+
          context 'when concurrently updating a job' do
            before do
              expect_any_instance_of(Ci::Build).to receive(:run!)