From 1eafc1da85002fd08a84d086b0534c1e53ebe629 Mon Sep 17 00:00:00 2001 From: Dzmitry Meshcharakou <12459192-dmeshcharakou@users.noreply.gitlab.com> Date: Thu, 22 May 2025 14:32:52 +0200 Subject: [PATCH] Remove FF for SSRF protection for dependency proxy Enable SSRF protection for dependency proxy for containers. Changelog: changed --- ...endency_proxy_for_containers_controller.rb | 2 - ...y_proxy_for_containers_ssrf_protection.yml | 9 --- ...cy_proxy_for_containers_controller_spec.rb | 70 +------------------ 3 files changed, 3 insertions(+), 78 deletions(-) delete mode 100644 config/feature_flags/gitlab_com_derisk/dependency_proxy_for_containers_ssrf_protection.yml diff --git a/app/controllers/groups/dependency_proxy_for_containers_controller.rb b/app/controllers/groups/dependency_proxy_for_containers_controller.rb index d6d16d56871c85..1bab8f6aac6a67 100644 --- a/app/controllers/groups/dependency_proxy_for_containers_controller.rb +++ b/app/controllers/groups/dependency_proxy_for_containers_controller.rb @@ -196,8 +196,6 @@ def manifest_header end def ssrf_params - return {} if Feature.disabled?(:dependency_proxy_for_containers_ssrf_protection, group) - { ssrf_filter: true, allow_localhost: allow_localhost?, diff --git a/config/feature_flags/gitlab_com_derisk/dependency_proxy_for_containers_ssrf_protection.yml b/config/feature_flags/gitlab_com_derisk/dependency_proxy_for_containers_ssrf_protection.yml deleted file mode 100644 index 0e9c24087acd58..00000000000000 --- a/config/feature_flags/gitlab_com_derisk/dependency_proxy_for_containers_ssrf_protection.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -name: dependency_proxy_for_containers_ssrf_protection -feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/520309 -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184626 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/523245 -milestone: '18.0' -group: group::package registry -type: gitlab_com_derisk -default_enabled: false diff --git a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb index 92ce3f4fc31a7e..c0075f8c66b291 100644 --- a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb +++ b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb @@ -243,7 +243,7 @@ end end - shared_examples 'Allowed endpoints' do |empty: false| + shared_examples 'Allowed endpoints' do let(:allowed_endpoints) do ['http://127.0.0.1:9000'] end @@ -259,24 +259,6 @@ expect(send_data['AllowedEndpoints']).to eq(allowed_endpoints) end - - context 'when dependency_proxy_for_containers_ssrf_protection is disabled' do - before do - stub_feature_flags(dependency_proxy_for_containers_ssrf_protection: false) - end - - it 'does not include or sets to an empty array AllowedEndpoints in the Workhorse send-dependency instructions' do - subject - - _, send_data = workhorse_send_data - - if empty - expect(send_data['AllowedEndpoints']).to eq([]) - else - expect(send_data).not_to include('AllowedEndpoints') - end - end - end end shared_examples 'AllowLocalhost' do |disabled: false| @@ -296,20 +278,6 @@ expect(send_data).not_to include('AllowLocalhost') end end - - context 'when dependency_proxy_for_containers_ssrf_protection is disabled' do - before do - stub_feature_flags(dependency_proxy_for_containers_ssrf_protection: false) - end - - it 'sets AllowLocalhost to true' do - subject - - _, send_data = workhorse_send_data - - expect(send_data['AllowLocalhost']).to be(true) - end - end end before do @@ -416,20 +384,12 @@ expect(allowed_endpoints).to eq([]) end - context 'when dependency_proxy_for_containers_ssrf_protection is disabled' do - before do - stub_feature_flags(dependency_proxy_for_containers_ssrf_protection: false) - end - - it_behaves_like 'SSRFFilter', disabled: true - end - context 'when local requests are not allowed' do it_behaves_like 'AllowLocalhost', disabled: true end context 'with allowed endpoints' do - it_behaves_like 'Allowed endpoints', empty: true + it_behaves_like 'Allowed endpoints' end end @@ -460,14 +420,6 @@ ) end - context 'when dependency_proxy_for_containers_ssrf_protection is disabled' do - before do - stub_feature_flags(dependency_proxy_for_containers_ssrf_protection: false) - end - - it_behaves_like 'SSRFFilter' - end - context 'when local requests are not allowed' do it_behaves_like 'AllowLocalhost' end @@ -561,20 +513,12 @@ def get_manifest(tag) expect(allowed_endpoints).to eq([]) end - context 'when dependency_proxy_for_containers_ssrf_protection is disabled' do - before do - stub_feature_flags(dependency_proxy_for_containers_ssrf_protection: false) - end - - it_behaves_like 'SSRFFilter', disabled: true - end - context 'when local requests are not allowed' do it_behaves_like 'AllowLocalhost', disabled: true end context 'with allowed endpoints' do - it_behaves_like 'Allowed endpoints', empty: true + it_behaves_like 'Allowed endpoints' end end @@ -597,14 +541,6 @@ def get_manifest(tag) ) end - context 'when dependency_proxy_for_containers_ssrf_protection is disabled' do - before do - stub_feature_flags(dependency_proxy_for_containers_ssrf_protection: false) - end - - it_behaves_like 'SSRFFilter' - end - context 'when local requests are not allowed' do it_behaves_like 'AllowLocalhost' end -- GitLab