stable

Clone or download

Read-only

Make possible to save CIDR ranges that are allowed or denied for outbound HTTP requests

This step only make possible to store the information for now, it will be used in upcoming contributions. It has been splitted in 2 different parameters to make possible to offer a safe (for most use cases) setup by default that is still usable. Outbound HTTP requests will be allowed if (ordered by priority): 1. the target IP is present in the user defined allow list 2. the target IP is not present in the user defined deny list 3. the target IP is not present in the default deny list This approach makes possible to poke holes in the deny list by adding a new allowed range in the allow list. This way administrators are less likely to make mistakes and allowing more things than expected. This approach also allows for an allowlist only approach by putting all IPv4 and IPv6 ranges in the deny list (`0.0.0.0/0,::/0`) and just allowing what you expect to use in the allow list. Part of request #31580: Filter outbound HTTP requests Change-Id: Ifa9b9e436e30657169b18676a533dc4dba807e29

Modified Files

Name
M src/common/Config/GetConfigKeys.php +2 −0 Go to diff View file
A src/common/Http/Client/CIDRRangesValidator.php +77 −0 Go to diff View file
A src/common/Http/Client/OutboundHTTPRequestSettings.php +39 −0 Go to diff View file
A tests/unit/common/Http/Client/CIDRRangesValidatorTest.php +75 −0 Go to diff View file
M tools/docker/tuleap-aio-dev/run.sh +3 −0 Go to diff View file