root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@15-9-stable-ee

This commit is contained in:
GitLab Bot 2023-03-01 00:09:51 +00:00
parent 260c87f94e
commit 6b75388b67
8 changed files with 30 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/user/clusters/agent/install/index.md
View File

@ -155,10 +155,6 @@ helm upgrade --install gitlab-agent gitlab/gitlab-agent \
...
```
NOTE:
DNS rebind protection is disabled when either the HTTP_PROXY or the HTTPS_PROXY environment variable is set,
and the domain DNS can't be resolved.
#### Advanced installation method
GitLab also provides a [KPT package for the agent](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/tree/master/build/deployment/gitlab-agent). This method provides greater flexibility, but is only recommended for advanced users.

8
doc/user/project/import/github.md
View File

@ -7,8 +7,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# Import your project from GitHub to GitLab **(FREE)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/381902) in GitLab 15.8, GitLab no longer automatically creates namespaces or groups that don't exist. GitLab also no longer falls back to using the user's personal namespace if the namespace or group name is taken.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/378267) in GitLab 15.9, GitLab instances behind proxies no longer require `github.com` and `api.github.com` entries in the [allowlist for local requests](../../../security/webhooks.md#create-an-allowlist-for-local-requests).
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/381902) in GitLab 15.8, GitLab no longer automatically creates namespaces or groups that don't exist. GitLab also no longer falls back to using the user's personal namespace if the namespace or group name is taken.
You can import your GitHub projects from either GitHub.com or GitHub Enterprise. Importing projects does not
migrate or import any types of groups or organizations from GitHub to GitLab.
@ -63,8 +62,9 @@ prerequisites for those imports.
If you are importing from GitHub Enterprise to a self-managed GitLab instance:
- You must first enable the [GitHub integration](../../../integration/github.md).
- For GitLab 15.8 and earlier, you must add `github.com` and `api.github.com` entries in the
[allowlist for local requests](../../../security/webhooks.md#create-an-allowlist-for-local-requests).
- If GitLab is behind a HTTP/HTTPS proxy, you must populate the [allowlist for local requests](../../../security/webhooks.md#create-an-allowlist-for-local-requests)
with `github.com` and `api.github.com` to solve the hostname. For more information, read the issue
[Importing a GitHub project requires DNS resolution even when behind a proxy](https://gitlab.com/gitlab-org/gitlab/-/issues/37941).
### Importing from GitHub.com to self-managed GitLab

2
lib/gitlab/http_connection_adapter.rb
View File

@ -59,6 +59,8 @@ module Gitlab
end
def dns_rebind_protection?
return false if Gitlab.http_proxy_env?
Gitlab::CurrentSettings.dns_rebinding_protection_enabled?
end

7
lib/gitlab/octokit/middleware.rb
View File

@ -11,8 +11,7 @@ module Gitlab
Gitlab::UrlBlocker.validate!(env[:url],
schemes: %w[http https],
allow_localhost: allow_local_requests?,
allow_local_network: allow_local_requests?,
dns_rebind_protection: dns_rebind_protection?
allow_local_network: allow_local_requests?
)
@app.call(env)
@ -23,10 +22,6 @@ module Gitlab
def allow_local_requests?
Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?
end
def dns_rebind_protection?
Gitlab::CurrentSettings.dns_rebinding_protection_enabled?
end
end
end
end

4
lib/gitlab/url_blocker.rb
View File

@ -121,8 +121,8 @@ module Gitlab
end
rescue SocketError
# If the dns rebinding protection is not enabled or the domain
# is allowed, or HTTP_PROXY is set we avoid the dns rebinding checks
return if domain_allowed?(uri) || !dns_rebind_protection || Gitlab.http_proxy_env?
# is allowed we avoid the dns rebinding checks
return if domain_allowed?(uri) || !dns_rebind_protection
# In the test suite we use a lot of mocked urls that are either invalid or
# don't exist. In order to avoid modifying a ton of tests and factories

14
spec/lib/gitlab/http_connection_adapter_spec.rb
View File

@ -111,6 +111,20 @@ RSpec.describe Gitlab::HTTPConnectionAdapter do
end
end
context 'when http(s) environment variable is set' do
before do
stub_env('https_proxy' => 'https://my.proxy')
end
it 'sets up the connection' do
expect(connection).to be_a(Gitlab::NetHttpAdapter)
expect(connection.address).to eq('example.org')
expect(connection.hostname_override).to eq(nil)
expect(connection.addr_port).to eq('example.org')
expect(connection.port).to eq(443)
end
end
context 'when URL scheme is not HTTP/HTTPS' do
let(:uri) { URI('ssh://example.org') }

31
spec/lib/gitlab/octokit/middleware_spec.rb
View File

@ -6,7 +6,7 @@ RSpec.describe Gitlab::Octokit::Middleware, feature_category: :importers do
let(:app) { double(:app) }
let(:middleware) { described_class.new(app) }
shared_examples 'Allowed URL' do
shared_examples 'Public URL' do
it 'does not raise an error' do
expect(app).to receive(:call).with(env)
@ -14,7 +14,7 @@ RSpec.describe Gitlab::Octokit::Middleware, feature_category: :importers do
end
end
shared_examples 'Blocked URL' do
shared_examples 'Local URL' do
it 'raises an error' do
expect { middleware.call(env) }.to raise_error(Gitlab::UrlBlocker::BlockedUrlError)
end
@ -24,24 +24,7 @@ RSpec.describe Gitlab::Octokit::Middleware, feature_category: :importers do
context 'when the URL is a public URL' do
let(:env) { { url: 'https://public-url.com' } }
it_behaves_like 'Allowed URL'
context 'with failed address check' do
before do
stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
allow(Addrinfo).to receive(:getaddrinfo).and_raise(SocketError)
end
it_behaves_like 'Blocked URL'
context 'with disabled dns rebinding check' do
before do
stub_application_setting(dns_rebinding_protection_enabled: false)
end
it_behaves_like 'Allowed URL'
end
end
it_behaves_like 'Public URL'
end
context 'when the URL is a localhost address' do
@ -52,7 +35,7 @@ RSpec.describe Gitlab::Octokit::Middleware, feature_category: :importers do
stub_application_setting(allow_local_requests_from_web_hooks_and_services: false)
end
it_behaves_like 'Blocked URL'
it_behaves_like 'Local URL'
end
context 'when localhost requests are allowed' do
@ -60,7 +43,7 @@ RSpec.describe Gitlab::Octokit::Middleware, feature_category: :importers do
stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
end
it_behaves_like 'Allowed URL'
it_behaves_like 'Public URL'
end
end
@ -72,7 +55,7 @@ RSpec.describe Gitlab::Octokit::Middleware, feature_category: :importers do
stub_application_setting(allow_local_requests_from_web_hooks_and_services: false)
end
it_behaves_like 'Blocked URL'
it_behaves_like 'Local URL'
end
context 'when local network requests are allowed' do
@ -80,7 +63,7 @@ RSpec.describe Gitlab::Octokit::Middleware, feature_category: :importers do
stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
end
it_behaves_like 'Allowed URL'
it_behaves_like 'Public URL'
end
end

11
spec/lib/gitlab/url_blocker_spec.rb
View File

@ -174,17 +174,6 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
expect { subject }.to raise_error(described_class::BlockedUrlError)
end
context 'with HTTP_PROXY' do
before do
allow(Gitlab).to receive(:http_proxy_env?).and_return(true)
end
it_behaves_like 'validates URI and hostname' do
let(:expected_uri) { import_url }
let(:expected_hostname) { nil }
end
end
end
context 'when domain is too long' do