mirror of https://github.com/harness/drone.git
102 lines
3.0 KiB
Go
102 lines
3.0 KiB
Go
// Copyright 2023 Harness, Inc.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package webhook
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/rs/zerolog/log"
|
|
)
|
|
|
|
var (
|
|
errLoopbackNotAllowed = errors.New("loopback not allowed")
|
|
errPrivateNetworkNotAllowed = errors.New("private network not allowed")
|
|
)
|
|
|
|
func newHTTPClient(allowLoopback bool, allowPrivateNetwork bool, disableSSLVerification bool) *http.Client {
|
|
// no customizations? use default client
|
|
if allowLoopback && allowPrivateNetwork && !disableSSLVerification {
|
|
return http.DefaultClient
|
|
}
|
|
|
|
// Clone http.DefaultTransport (used by http.DefaultClient)
|
|
tr := http.DefaultTransport.(*http.Transport).Clone()
|
|
|
|
tr.TLSClientConfig.InsecureSkipVerify = disableSSLVerification
|
|
|
|
// create basic net.Dialer (Similar to what is used by http.DefaultTransport)
|
|
dialer := &net.Dialer{
|
|
Timeout: 30 * time.Second,
|
|
KeepAlive: 30 * time.Second,
|
|
}
|
|
|
|
// overwrite DialContext method to block sending data to localhost
|
|
// NOTE: this doesn't block establishing the connection, but closes it before data is send.
|
|
// WARNING: this allows scanning of IP addresses based on error types.
|
|
tr.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
// dial connection using
|
|
con, err := dialer.DialContext(ctx, network, addr)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// by default close connection unless explicitly marked to keep it
|
|
keepConnection := false
|
|
defer func() {
|
|
// if we decided to keep the connection, nothing to do
|
|
if keepConnection {
|
|
return
|
|
}
|
|
|
|
// otherwise best effort close connection
|
|
cErr := con.Close()
|
|
if cErr != nil {
|
|
log.Ctx(ctx).Warn().Err(err).
|
|
Msgf("failed to close potentially malicious connection to '%s' (resolved: '%s')",
|
|
addr, con.RemoteAddr())
|
|
}
|
|
}()
|
|
|
|
// ensure a tcp address got established and close if it's localhost or private
|
|
tcpAddr, ok := con.RemoteAddr().(*net.TCPAddr)
|
|
if !ok {
|
|
// not expected to happen, but to be sure
|
|
return nil, fmt.Errorf("address resolved to a non-TCP address (original: '%s', resolved: '%s')",
|
|
addr, con.RemoteAddr())
|
|
}
|
|
|
|
if !allowLoopback && tcpAddr.IP.IsLoopback() {
|
|
return nil, errLoopbackNotAllowed
|
|
}
|
|
|
|
if !allowPrivateNetwork && tcpAddr.IP.IsPrivate() {
|
|
return nil, errPrivateNetworkNotAllowed
|
|
}
|
|
|
|
// otherwise keep connection
|
|
keepConnection = true
|
|
|
|
return con, nil
|
|
}
|
|
|
|
// httpClient is similar to http.DefaultClient, just with custom http.Transport
|
|
return &http.Client{Transport: tr}
|
|
}
|