forgejo/modules
Jason Song 4e98224a45
Support allowed hosts for webhook to work with proxy (#27655)
When `webhook.PROXY_URL` has been set, the old code will check if the
proxy host is in `ALLOWED_HOST_LIST` or reject requests through the
proxy. It requires users to add the proxy host to `ALLOWED_HOST_LIST`.
However, it actually allows all requests to any port on the host, when
the proxy host is probably an internal address.

But things may be even worse. `ALLOWED_HOST_LIST` doesn't really work
when requests are sent to the allowed proxy, and the proxy could forward
them to any hosts.

This PR fixes it by:

- If the proxy has been set, always allow connectioins to the host and
port.
- Check `ALLOWED_HOST_LIST` before forwarding.
2023-10-18 09:44:36 +00:00
..
actions chore(actions): support cron schedule task (#26655) 2023-08-24 03:06:51 +00:00
activitypub make writing main test easier (#27270) 2023-09-28 01:38:53 +00:00
analyze Rename code_langauge.go to code_language.go (#26377) 2023-08-07 15:00:53 -04:00
assetfs Use Set[Type] instead of map[Type]bool/struct{}. (#26804) 2023-08-30 06:55:25 +00:00
auth Next round of db.DefaultContext refactor (#27089) 2023-09-16 14:39:12 +00:00
avatar Remove nfnt/resize and oliamb/cutter (#25999) 2023-07-20 19:52:42 +08:00
base
cache improve unit test for caching (#26185) 2023-07-27 22:24:40 +02:00
charset
container
context Final round of db.DefaultContext refactor (#27587) 2023-10-14 08:37:24 +00:00
contexttest Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
csv
doctor Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
emoji
eventsource Final round of db.DefaultContext refactor (#27587) 2023-10-14 08:37:24 +00:00
generate Handle base64 decoding correctly to avoid panic (#26483) 2023-08-14 10:30:16 +00:00
git Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
gitgraph More db.DefaultContext refactor (#27265) 2023-09-29 12:12:54 +00:00
graceful Allow the use of alternative net.Listener implementations by downstreams (#25855) 2023-07-24 07:18:17 +00:00
hcaptcha
highlight Upgrade go dependencies (#25819) 2023-07-14 11:00:31 +08:00
hostmatcher Support allowed hosts for webhook to work with proxy (#27655) 2023-10-18 09:44:36 +00:00
html Refactor backend SVG package and add tests (#26335) 2023-08-05 04:34:59 +00:00
httpcache
httplib
indexer Improve retrying index issues (#27554) 2023-10-15 18:56:57 +00:00
issue/template
json
label
lfs Refactor lfs requests (#26783) 2023-09-18 08:40:50 +00:00
log Reduce some allocations in type conversion (#26772) 2023-08-29 00:43:16 +08:00
markup fix media description render for orgmode (#26895) 2023-09-13 05:44:59 +00:00
mcaptcha
metrics Reduce usage of db.DefaultContext (#27073) 2023-09-14 17:09:32 +00:00
migration
nosql
options
packages Use docs.gitea.com instead of docs.gitea.io (#26739) 2023-08-27 11:59:12 +00:00
paginator
pprof
private
process Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
proxy
proxyprotocol
public Serve pre-defined files in "public", add "security.txt", add CORS header for ".well-known" (#25974) 2023-07-21 12:14:20 +00:00
queue Increase queue length (#27555) 2023-10-10 18:47:49 +08:00
recaptcha
references Replace 'userxx' with 'orgxx' in all test files when the user type is org (#27052) 2023-09-14 02:59:53 +00:00
regexplru Upgrade go dependencies (#25819) 2023-07-14 11:00:31 +08:00
repository Refactor system setting (#27000) 2023-10-05 09:08:19 +08:00
secret
session Next round of db.DefaultContext refactor (#27089) 2023-09-16 14:39:12 +00:00
setting Enhanced auth token / remember me (#27606) 2023-10-14 00:56:41 +00:00
sitemap
ssh restrict certificate type for builtin SSH server (#26789) 2023-09-01 13:45:22 +00:00
storage Fix object storage path handling (#27024) 2023-09-13 01:18:52 +00:00
structs Restore warning commit status (#27504) 2023-10-08 22:16:06 +00:00
svg Refactor backend SVG package and add tests (#26335) 2023-08-05 04:34:59 +00:00
sync
system Replace more db.DefaultContext (#27628) 2023-10-15 17:46:06 +02:00
templates Improve feed icons and feed merge text color (#27498) 2023-10-07 23:26:27 +00:00
test Move web/api context related testing function into a separate package (#26859) 2023-09-01 11:26:07 +00:00
testlogger
timeutil
translation
turnstile
typesniffer Detect ogg mime-type as audio or video (#26494) 2023-08-15 10:31:25 +08:00
updatechecker Replace more db.DefaultContext (#27628) 2023-10-15 17:46:06 +02:00
upload
uri
user
util Refactor lfs requests (#26783) 2023-09-18 08:40:50 +00:00
validation Check blocklist for emails when adding them to account (#26812) 2023-08-30 10:46:49 -05:00
web Remove some dead code (#27196) 2023-09-22 23:30:31 +08:00
webhook