From 65a1f5fc59f2113aa202952d8c01c69d2c8ee204 Mon Sep 17 00:00:00 2001
From: Radamanthus Batnag <rbatnag@gitlab.com>
Date: Fri, 25 Jul 2025 17:19:12 +0800
Subject: [PATCH] Add outbound allowlist to allowed endpoints for SSRF filter

Add `outbound_local_requests_whitelist` from the settings to the list of
allowed endpoints for SSRF filter for package registry

Changelog: added
---
 lib/packages/ssrf_protection.rb           |  5 +++-
 spec/lib/packages/ssrf_protection_spec.rb | 29 ++++++++++++++++-------
 2 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/lib/packages/ssrf_protection.rb b/lib/packages/ssrf_protection.rb
index 6b42c4decaa15f..bd3039ef695c91 100644
--- a/lib/packages/ssrf_protection.rb
+++ b/lib/packages/ssrf_protection.rb
@@ -9,7 +9,10 @@ def self.params_for(package)
       {
         ssrf_filter: true,
         allow_localhost: allow_localhost?,
-        allowed_endpoints: ObjectStoreSettings.enabled_endpoint_uris
+        # rubocop:disable Naming/InclusiveLanguage -- existing setting
+        allowed_endpoints: ObjectStoreSettings.enabled_endpoint_uris.map(&:to_s) +
+          Gitlab::CurrentSettings.outbound_local_requests_whitelist
+        # rubocop:enable Naming/InclusiveLanguage
       }
     end
 
diff --git a/spec/lib/packages/ssrf_protection_spec.rb b/spec/lib/packages/ssrf_protection_spec.rb
index 4e3c9cc3290a48..c49495381d3f7b 100644
--- a/spec/lib/packages/ssrf_protection_spec.rb
+++ b/spec/lib/packages/ssrf_protection_spec.rb
@@ -21,15 +21,28 @@
     end
 
     context 'when package type is supported' do
-      it 'returns SSRF protection params for generic package' do
-        result = described_class.params_for(generic_package)
-
-        expect(result).to include(
-          ssrf_filter: true,
-          allow_localhost: true,
-          allowed_endpoints: ObjectStoreSettings.enabled_endpoint_uris
-        )
+      # rubocop:disable Naming/InclusiveLanguage -- existing setting
+      context 'with generic package' do
+        let(:enabled_endpoint_uris) { [URI('192.168.1.1')] }
+        let(:outbound_local_requests_whitelist) { ['127.0.0.1'] }
+        let(:allowed_endpoints) { ['192.168.1.1', '127.0.0.1'] }
+
+        before do
+          allow(ObjectStoreSettings).to receive(:enabled_endpoint_uris).and_return(enabled_endpoint_uris)
+          stub_application_setting(outbound_local_requests_whitelist: outbound_local_requests_whitelist)
+        end
+
+        it 'returns SSRF protection params' do
+          result = described_class.params_for(generic_package)
+
+          expect(result).to include(
+            ssrf_filter: true,
+            allow_localhost: true,
+            allowed_endpoints: allowed_endpoints
+          )
+        end
       end
+      # rubocop:enable Naming/InclusiveLanguage
 
       context 'when in production environment' do
         before do
-- 
GitLab