From 3e16ad961d2d61d4c702bd0e3c80bf918d76db00 Mon Sep 17 00:00:00 2001 From: David Fernandez Date: Fri, 25 Jul 2025 12:12:28 +0200 Subject: [PATCH] Revert "Remove FF for SSRF protection for dependency proxy" This reverts commit 1eafc1da85002fd08a84d086b0534c1e53ebe629. --- ...endency_proxy_for_containers_controller.rb | 2 + ...y_proxy_for_containers_ssrf_protection.yml | 9 +++ ...cy_proxy_for_containers_controller_spec.rb | 70 ++++++++++++++++++- 3 files changed, 78 insertions(+), 3 deletions(-) create mode 100644 config/feature_flags/gitlab_com_derisk/dependency_proxy_for_containers_ssrf_protection.yml diff --git a/app/controllers/groups/dependency_proxy_for_containers_controller.rb b/app/controllers/groups/dependency_proxy_for_containers_controller.rb index 19525247d0239e..9780cf08aef905 100644 --- a/app/controllers/groups/dependency_proxy_for_containers_controller.rb +++ b/app/controllers/groups/dependency_proxy_for_containers_controller.rb @@ -196,6 +196,8 @@ def manifest_header end def ssrf_params + return {} if Feature.disabled?(:dependency_proxy_for_containers_ssrf_protection, group) + { ssrf_filter: true, allow_localhost: allow_localhost?, diff --git a/config/feature_flags/gitlab_com_derisk/dependency_proxy_for_containers_ssrf_protection.yml b/config/feature_flags/gitlab_com_derisk/dependency_proxy_for_containers_ssrf_protection.yml new file mode 100644 index 00000000000000..0e9c24087acd58 --- /dev/null +++ b/config/feature_flags/gitlab_com_derisk/dependency_proxy_for_containers_ssrf_protection.yml @@ -0,0 +1,9 @@ +--- +name: dependency_proxy_for_containers_ssrf_protection +feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/520309 +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184626 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/523245 +milestone: '18.0' +group: group::package registry +type: gitlab_com_derisk +default_enabled: false diff --git a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb index 8220c4713a4870..cc8f6cdd4a3d8e 100644 --- a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb +++ b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb @@ -223,7 +223,7 @@ end end - shared_examples 'Allowed endpoints' do + shared_examples 'Allowed endpoints' do |empty: false| let(:enabled_endpoint_uris) { [URI('192.168.1.1')] } let(:outbound_local_requests_allowlist) { ['127.0.0.1'] } let(:allowed_endpoints) { enabled_endpoint_uris.map(&:to_s) + outbound_local_requests_allowlist } @@ -240,6 +240,24 @@ expect(send_data['AllowedEndpoints']).to eq(allowed_endpoints) end + + context 'when dependency_proxy_for_containers_ssrf_protection is disabled' do + before do + stub_feature_flags(dependency_proxy_for_containers_ssrf_protection: false) + end + + it 'does not include or sets to an empty array AllowedEndpoints in the Workhorse send-dependency instructions' do + subject + + _, send_data = workhorse_send_data + + if empty + expect(send_data['AllowedEndpoints']).to eq([]) + else + expect(send_data).not_to include('AllowedEndpoints') + end + end + end end shared_examples 'AllowLocalhost' do |disabled: false| @@ -259,6 +277,20 @@ expect(send_data).not_to include('AllowLocalhost') end end + + context 'when dependency_proxy_for_containers_ssrf_protection is disabled' do + before do + stub_feature_flags(dependency_proxy_for_containers_ssrf_protection: false) + end + + it 'sets AllowLocalhost to true' do + subject + + _, send_data = workhorse_send_data + + expect(send_data['AllowLocalhost']).to be(true) + end + end end before do @@ -365,12 +397,20 @@ expect(allowed_endpoints).to eq([]) end + context 'when dependency_proxy_for_containers_ssrf_protection is disabled' do + before do + stub_feature_flags(dependency_proxy_for_containers_ssrf_protection: false) + end + + it_behaves_like 'SSRFFilter', disabled: true + end + context 'when local requests are not allowed' do it_behaves_like 'AllowLocalhost', disabled: true end context 'with allowed endpoints' do - it_behaves_like 'Allowed endpoints' + it_behaves_like 'Allowed endpoints', empty: true end end @@ -401,6 +441,14 @@ ) end + context 'when dependency_proxy_for_containers_ssrf_protection is disabled' do + before do + stub_feature_flags(dependency_proxy_for_containers_ssrf_protection: false) + end + + it_behaves_like 'SSRFFilter' + end + context 'when local requests are not allowed' do it_behaves_like 'AllowLocalhost' end @@ -490,12 +538,20 @@ def get_manifest(tag) expect(allowed_endpoints).to eq([]) end + context 'when dependency_proxy_for_containers_ssrf_protection is disabled' do + before do + stub_feature_flags(dependency_proxy_for_containers_ssrf_protection: false) + end + + it_behaves_like 'SSRFFilter', disabled: true + end + context 'when local requests are not allowed' do it_behaves_like 'AllowLocalhost', disabled: true end context 'with allowed endpoints' do - it_behaves_like 'Allowed endpoints' + it_behaves_like 'Allowed endpoints', empty: true end end @@ -518,6 +574,14 @@ def get_manifest(tag) ) end + context 'when dependency_proxy_for_containers_ssrf_protection is disabled' do + before do + stub_feature_flags(dependency_proxy_for_containers_ssrf_protection: false) + end + + it_behaves_like 'SSRFFilter' + end + context 'when local requests are not allowed' do it_behaves_like 'AllowLocalhost' end -- GitLab