gitlab-org--gitlab-foss/config/initializers/trusted_proxies.rb
blackst0ne 2306e49060 [Rails5] Fix trusted proxies
There is a bug in trusted proxies: https://github.com/rails/rails/issues/5223
This commit adds a monkey patch to fix the bug.

Example of errors:

```
1) trusted_proxies with default config preserves private IPs
    Failure/Error: expect(request.ip).to eq('10.1.5.89')

      expected: "10.1.5.89"
          got: nil

      (compared using ==)
    # ./spec/initializers/trusted_proxies_spec.rb:12:in `block (3 levels) in <top (required)>'

2) trusted_proxies with default config filters out localhost
    Failure/Error: expect(request.ip).to eq('10.1.5.89')

      expected: "10.1.5.89"
          got: "1.1.1.1"

      (compared using ==)
    # ./spec/initializers/trusted_proxies_spec.rb:18:in `block (3 levels) in <top (required)>'
```
2018-05-03 20:14:20 +11:00

37 lines
1.2 KiB
Ruby

# Override Rack::Request to make use of the same list of trusted_proxies
# as the ActionDispatch::Request object. This is necessary for libraries
# like rack_attack where they don't use ActionDispatch, and we want them
# to block/throttle requests on private networks.
# Rack Attack specific issue: https://github.com/kickstarter/rack-attack/issues/145
module Rack
class Request
def trusted_proxy?(ip)
Rails.application.config.action_dispatch.trusted_proxies.any? { |proxy| proxy === ip }
rescue IPAddr::InvalidAddressError
false
end
end
end
gitlab_trusted_proxies = Array(Gitlab.config.gitlab.trusted_proxies).map do |proxy|
begin
IPAddr.new(proxy)
rescue IPAddr::InvalidAddressError
end
end.compact
Rails.application.config.action_dispatch.trusted_proxies = (
['127.0.0.1', '::1'] + gitlab_trusted_proxies)
# A monkey patch to make trusted proxies work with Rails 5.0.
# Inspired by https://github.com/rails/rails/issues/5223#issuecomment-263778719
# Remove this monkey patch when upstream is fixed.
if Gitlab.rails5?
module TrustedProxyMonkeyPatch
def ip
@ip ||= (get_header("action_dispatch.remote_ip") || super).to_s
end
end
ActionDispatch::Request.send(:include, TrustedProxyMonkeyPatch)
end