Files @ f08fbf424898
Branch filter:

Location: kallithea/scripts/validate-commits

f08fbf424898 1.7 KiB text/plain Show Annotation Show as Raw Download as Raw
mads
auth: don't trust clients too much - only trust the *last* IP in the X-Forwarded-For header

The X-Forwarded-For header contains a list of IP addresses, where each
proxy server appends the IP they see their request coming from.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For .

Trusting the *first* IP in HTTP_X_FORWARDED_FOR would allow clients to claim
any IP, which could be used to bypass IP restrictions configured in Kallithea.

Instead, only trust the last proxy in the chain, and thus only use the *last*
IP in HTTP_X_FORWARDED_FOR. (In setups where more than last IP should be
trusted, the last proxy server in the chain must be configured rewrite the
header accordingly.)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/bin/bash
# Validate the specified commits against test suite and other checks.

if [ -n "$VIRTUAL_ENV" ]; then
    echo "Please run this script from outside a virtualenv."
    exit 1
fi

if ! hg update --check -q .; then
    echo "Working dir is not clean, please commit/revert changes first."
    exit 1
fi

revset=$1
if [ -z "$revset" ]; then
    echo "Warning: no revisions specified, checking draft changes up to the current one."
    revset='draft() and ancestors(.)'
fi

venv=$(mktemp -d kallithea-validatecommits-env-XXXXXX)
resultfile=$(mktemp kallithea-validatecommits-result-XXXXXX)
echo > "$resultfile"

cleanup()
{
    rm -rf /tmp/kallithea-test*
    rm -rf "$venv"
}
finish()
{
    cleanup
    # print (possibly intermediate) results
    cat "$resultfile"
    rm "$resultfile"
}
trap finish EXIT

for rev in $(hg log -r "$revset" -T '{node}\n'); do
    hg log -r "$rev"
    hg update "$rev"

    cleanup
    python3 -m venv "$venv"
    source "$venv/bin/activate"
    pip install --upgrade pip setuptools
    pip install -e . -r dev_requirements.txt python-ldap python-pam

    # run-all-cleanup
    if ! scripts/run-all-cleanup ; then
        echo "run-all-cleanup encountered errors!"
        result="NOK"
    else
        if ! hg update --check -q .; then
            echo "run-all-cleanup did not give clean results!"
            result="NOK"
            hg diff
            hg revert -a
        else
            result=" OK"
        fi
    fi
    echo "$result: $rev (run-all-cleanup)" >> "$resultfile"

    # pytest
    if py.test; then
        result=" OK"
    else
        result="NOK"
    fi
    echo "$result: $rev (pytest)" >> "$resultfile"

    deactivate
    echo
done
Server instance: clio-6756 This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3. – Support