conf: add allowlist for accessing local network (#6842)

2022-03-14 22:06:08 +08:00 · 2022-03-14 22:06:08 +08:00 · 714383a063
parent a2c6325261
commit 714383a063
13 changed files with 41 additions and 19 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -22,6 +22,7 @@ All notable changes to Gogs are documented in this file.
 ### Fixed

 - Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761)
+- _Regression:_ Unable to migrate repository from other local Git hosting. Added a new configuration option `[security] LOCAL_NETWORK_ALLOWLIST`, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. [#6841](https://github.com/gogs/gogs/issues/6841)

 ### Removed

--- a/conf/app.ini
+++ b/conf/app.ini
@ -173,6 +173,8 @@ COOKIE_SECURE = false
 ENABLE_LOGIN_STATUS_COOKIE = false
 ; The cookie name to store user login status.
 LOGIN_STATUS_COOKIE_NAME = login_status
+; A comma separated list of hostnames that are explicitly allowed to be accessed within the local network.
+LOCAL_NETWORK_ALLOWLIST =

 [email]
 ; Whether to enable the email service.
--- a/conf/locale/locale_en-US.ini
+++ b/conf/locale/locale_en-US.ini
@ -1248,6 +1248,7 @@ config.security.cookie_secure = Enable secure cookie
 config.security.reverse_proxy_auth_user = Reverse proxy authentication header
 config.security.enable_login_status_cookie = Enable login status cookie
 config.security.login_status_cookie_name = Login status cookie
+config.security.local_network_allowlist = Local network allowlist

 config.email_config = Email configuration
 config.email.enabled = Enabled
--- a/docs/dev/local_development.md
+++ b/docs/dev/local_development.md
@ -154,6 +154,8 @@ task web --watch
 When you are actively working on HTML templates and static files during development, you may want to enable the following configuration to avoid recompiling and restarting Gogs every time you make a change to files under `template/` and `public/` directories:

 ```ini
+RUN_MODE = dev
+
 [server]
 LOAD_ASSETS_FROM_DISK = true
 ```
--- a/internal/assets/conf/conf_gen.go
+++ b/internal/assets/conf/conf_gen.go
--- a/internal/assets/templates/templates_gen.go
+++ b/internal/assets/templates/templates_gen.go
--- a/internal/conf/static.go
+++ b/internal/conf/static.go
@ -101,6 +101,7 @@ var (
 		CookieSecure            bool
 		EnableLoginStatusCookie bool
 		LoginStatusCookieName   string
+		LocalNetworkAllowlist   []string `delim:","`
 	}

 	// Email settings
--- a/internal/conf/testdata/TestInit.golden.ini
+++ b/internal/conf/testdata/TestInit.golden.ini
@ -77,6 +77,7 @@ COOKIE_USERNAME=gogs_awesome
 COOKIE_SECURE=false
 ENABLE_LOGIN_STATUS_COOKIE=false
 LOGIN_STATUS_COOKIE_NAME=login_status
+LOCAL_NETWORK_ALLOWLIST=

 [email]
 ENABLED=true
--- a/internal/form/repo.go
+++ b/internal/form/repo.go
@ -12,6 +12,7 @@ import (
 	"github.com/unknwon/com"
 	"gopkg.in/macaron.v1"

+	"gogs.io/gogs/internal/conf"
 	"gogs.io/gogs/internal/db"
 	"gogs.io/gogs/internal/netutil"
 )
@ -71,7 +72,7 @@ func (f MigrateRepo) ParseRemoteAddr(user *db.User) (string, error) {
 			return "", db.ErrInvalidCloneAddr{IsURLError: true}
 		}

-		if netutil.IsLocalHostname(u.Hostname()) {
+		if netutil.IsLocalHostname(u.Hostname(), conf.Security.LocalNetworkAllowlist) {
 			return "", db.ErrInvalidCloneAddr{IsURLError: true}
 		}

--- a/internal/netutil/netutil.go
+++ b/internal/netutil/netutil.go
@ -47,8 +47,15 @@ func init() {
 	}
 }

-// IsLocalHostname returns true if given hostname is a known local address.
-func IsLocalHostname(hostname string) bool {
+// IsLocalHostname returns true if given hostname is resolved to local network
+// address, except exempted from the allowlist.
+func IsLocalHostname(hostname string, allowlist []string) bool {
+	for _, allow := range allowlist {
+		if hostname == allow {
+			return false
+		}
+	}
+
 	ips, err := net.LookupIP(hostname)
 	if err != nil {
 		return true
--- a/internal/netutil/netutil_test.go
+++ b/internal/netutil/netutil_test.go
@ -12,8 +12,9 @@ import (

 func TestIsLocalHostname(t *testing.T) {
 	tests := []struct {
-		hostname string
-		want     bool
+		hostname  string
+		allowlist []string
+		want      bool
 	}{
 		{hostname: "localhost", want: true},
 		{hostname: "127.0.0.1", want: true},
@ -27,10 +28,13 @@ func TestIsLocalHostname(t *testing.T) {
 		{hostname: "gogs.io", want: false},
 		{hostname: "google.com", want: false},
 		{hostname: "165.232.140.255", want: false},
+
+		{hostname: "192.168.123.45", allowlist: []string{"10.0.0.17"}, want: true},
+		{hostname: "gogs.local", allowlist: []string{"gogs.local"}, want: false},
 	}
 	for _, test := range tests {
 		t.Run("", func(t *testing.T) {
-			assert.Equal(t, test.want, IsLocalHostname(test.hostname))
+			assert.Equal(t, test.want, IsLocalHostname(test.hostname, test.allowlist))
 		})
 	}
 }
--- a/internal/route/repo/webhook.go
+++ b/internal/route/repo/webhook.go
@ -128,7 +128,7 @@ func validateWebhook(actor *db.User, l macaron.Locale, w *db.Webhook) (field, ms
 			return "PayloadURL", l.Tr("repo.settings.webhook.err_cannot_parse_payload_url", err), false
 		}

-		if netutil.IsLocalHostname(payloadURL.Hostname()) {
+		if netutil.IsLocalHostname(payloadURL.Hostname(), conf.Security.LocalNetworkAllowlist) {
 			return "PayloadURL", l.Tr("repo.settings.webhook.err_cannot_use_local_addresses"), false
 		}
 	}
--- a/templates/admin/config.tmpl
+++ b/templates/admin/config.tmpl
@ -210,6 +210,8 @@
 						<dd><i class="fa fa{{if .Security.EnableLoginStatusCookie}}-check{{end}}-square-o"></i></dd>
 						<dt>{{.i18n.Tr "admin.config.security.login_status_cookie_name"}}</dt>
 						<dd>{{.Security.LoginStatusCookieName}}</dd>
+						<dt>{{.i18n.Tr "admin.config.security.local_network_allowlist"}}</dt>
+						<dd><code>{{.Security.LocalNetworkAllowlist}}</code></dd>
 					</dl>
 				</div>