conf: add allowlist for accessing local network (#6842)

2022-03-14 22:06:08 +08:00 · 2022-03-14 22:06:08 +08:00 · 714383a063
parent a2c6325261
commit 714383a063
13 changed files with 41 additions and 19 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -22,6 +22,7 @@ All notable changes to Gogs are documented in this file.
 ### Fixed
 - Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761)
 - _Regression:_ Unable to migrate repository from other local Git hosting. Added a new configuration option `[security] LOCAL_NETWORK_ALLOWLIST`, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. [#6841](https://github.com/gogs/gogs/issues/6841)
 ### Removed
--- a/conf/app.ini
+++ b/conf/app.ini
@ -173,6 +173,8 @@ COOKIE_SECURE = false
 ENABLE_LOGIN_STATUS_COOKIE = false
 ; The cookie name to store user login status.
 LOGIN_STATUS_COOKIE_NAME = login_status
 ; A comma separated list of hostnames that are explicitly allowed to be accessed within the local network.
 LOCAL_NETWORK_ALLOWLIST =
 [email]
 ; Whether to enable the email service.
--- a/conf/locale/locale_en-US.ini
+++ b/conf/locale/locale_en-US.ini
@ -1248,6 +1248,7 @@ config.security.cookie_secure = Enable secure cookie
 config.security.reverse_proxy_auth_user = Reverse proxy authentication header
 config.security.enable_login_status_cookie = Enable login status cookie
 config.security.login_status_cookie_name = Login status cookie
 config.security.local_network_allowlist = Local network allowlist
 config.email_config = Email configuration
 config.email.enabled = Enabled
--- a/docs/dev/local_development.md
+++ b/docs/dev/local_development.md
@ -154,6 +154,8 @@ task web --watch
 When you are actively working on HTML templates and static files during development, you may want to enable the following configuration to avoid recompiling and restarting Gogs every time you make a change to files under `template/` and `public/` directories:
 ```ini
 RUN_MODE = dev
 [server]
 LOAD_ASSETS_FROM_DISK = true
 ```
--- a/internal/assets/conf/conf_gen.go
+++ b/internal/assets/conf/conf_gen.go
--- a/internal/assets/templates/templates_gen.go
+++ b/internal/assets/templates/templates_gen.go
--- a/internal/conf/static.go
+++ b/internal/conf/static.go
@ -101,6 +101,7 @@ var (
 		CookieSecure            bool
 		EnableLoginStatusCookie bool
 		LoginStatusCookieName   string
 		LocalNetworkAllowlist   []string `delim:","`
 	}
 	// Email settings
--- a/internal/conf/testdata/TestInit.golden.ini
+++ b/internal/conf/testdata/TestInit.golden.ini
@ -77,6 +77,7 @@ COOKIE_USERNAME=gogs_awesome
 COOKIE_SECURE=false
 ENABLE_LOGIN_STATUS_COOKIE=false
 LOGIN_STATUS_COOKIE_NAME=login_status
 LOCAL_NETWORK_ALLOWLIST=
 [email]
 ENABLED=true
--- a/internal/form/repo.go
+++ b/internal/form/repo.go
@ -12,6 +12,7 @@ import (
 	"github.com/unknwon/com"
 	"gopkg.in/macaron.v1"
 	"gogs.io/gogs/internal/conf"
 	"gogs.io/gogs/internal/db"
 	"gogs.io/gogs/internal/netutil"
 )
@ -71,7 +72,7 @@ func (f MigrateRepo) ParseRemoteAddr(user *db.User) (string, error) {
 			return "", db.ErrInvalidCloneAddr{IsURLError: true}
 		}
-		if netutil.IsLocalHostname(u.Hostname()) {
+		if netutil.IsLocalHostname(u.Hostname(), conf.Security.LocalNetworkAllowlist) {
 			return "", db.ErrInvalidCloneAddr{IsURLError: true}
 		}
--- a/internal/netutil/netutil.go
+++ b/internal/netutil/netutil.go
@ -47,8 +47,15 @@ func init() {
 	}
 }
-// IsLocalHostname returns true if given hostname is a known local address.
+// IsLocalHostname returns true if given hostname is resolved to local network
-func IsLocalHostname(hostname string) bool {
+// address, except exempted from the allowlist.
 func IsLocalHostname(hostname string, allowlist []string) bool {
 	for _, allow := range allowlist {
 		if hostname == allow {
 			return false
 		}
 	}
 	ips, err := net.LookupIP(hostname)
 	if err != nil {
 		return true
--- a/internal/netutil/netutil_test.go
+++ b/internal/netutil/netutil_test.go
@ -13,6 +13,7 @@ import (
 func TestIsLocalHostname(t *testing.T) {
 	tests := []struct {
 		hostname  string
 		allowlist []string
 		want      bool
 	}{
 		{hostname: "localhost", want: true},
@ -27,10 +28,13 @@ func TestIsLocalHostname(t *testing.T) {
 		{hostname: "gogs.io", want: false},
 		{hostname: "google.com", want: false},
 		{hostname: "165.232.140.255", want: false},
 		{hostname: "192.168.123.45", allowlist: []string{"10.0.0.17"}, want: true},
 		{hostname: "gogs.local", allowlist: []string{"gogs.local"}, want: false},
 	}
 	for _, test := range tests {
 		t.Run("", func(t *testing.T) {
-			assert.Equal(t, test.want, IsLocalHostname(test.hostname))
+			assert.Equal(t, test.want, IsLocalHostname(test.hostname, test.allowlist))
 		})
 	}
 }
--- a/internal/route/repo/webhook.go
+++ b/internal/route/repo/webhook.go
@ -128,7 +128,7 @@ func validateWebhook(actor *db.User, l macaron.Locale, w *db.Webhook) (field, ms
 			return "PayloadURL", l.Tr("repo.settings.webhook.err_cannot_parse_payload_url", err), false
 		}
-		if netutil.IsLocalHostname(payloadURL.Hostname()) {
+		if netutil.IsLocalHostname(payloadURL.Hostname(), conf.Security.LocalNetworkAllowlist) {
 			return "PayloadURL", l.Tr("repo.settings.webhook.err_cannot_use_local_addresses"), false
 		}
 	}
--- a/templates/admin/config.tmpl
+++ b/templates/admin/config.tmpl
@ -210,6 +210,8 @@
 						<dd><i class="fa fa{{if .Security.EnableLoginStatusCookie}}-check{{end}}-square-o"></i></dd>
 						<dt>{{.i18n.Tr "admin.config.security.login_status_cookie_name"}}</dt>
 						<dd>{{.Security.LoginStatusCookieName}}</dd>
 						<dt>{{.i18n.Tr "admin.config.security.local_network_allowlist"}}</dt>
 						<dd><code>{{.Security.LocalNetworkAllowlist}}</code></dd>
 					</dl>
 				</div>