From a47b580f74db6ffceb27fba66f45e9b4ab022725 Mon Sep 17 00:00:00 2001
From: Andrej Shadura <andrew.shadura@collabora.co.uk>
Date: Tue, 18 Oct 2022 14:30:31 +0100
Subject: [PATCH] Trust private networks when OBS_TRUST_PRIVATE_NET is
 1/yes/true
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These addresses are often used by Docker and other cloud setups, and
because of their often complex configurations it’s often easier to
permit the whole range, since usually the operating system’s IP filter
will be configured to block improper access anyway.

OBS_TRUST_PRIVATE_NET is set by default by the backend Docker
entrypoint.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
---
 docker-compose.yml                  | 1 +
 docker/backend-docker-entrypoint.sh | 3 +++
 src/backend/BSConfiguration.pm      | 7 +++++++
 3 files changed, 11 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 88db449606..caea869f42 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -26,6 +26,7 @@ services:
     environment:
       OBS_FRONTEND_HOST: frontend
       OBS_BACKEND_HOST: backend
+      OBS_TRUST_PRIVATE_NET: 'yes'
     ports:
       - "127.0.0.1:8080:8080"
 
diff --git a/docker/backend-docker-entrypoint.sh b/docker/backend-docker-entrypoint.sh
index 6712288549..43b2c6313f 100755
--- a/docker/backend-docker-entrypoint.sh
+++ b/docker/backend-docker-entrypoint.sh
@@ -54,4 +54,7 @@ then
     mv /etc/supervisor/conf.d/obssigner.conf /etc/supervisor/conf.d/obssigner.conf.disabled
 fi
 
+: ${OBS_TRUST_PRIVATE_NET:=1}
+export OBS_TRUST_PRIVATE_NET
+
 exec /usr/bin/supervisord -n
diff --git a/src/backend/BSConfiguration.pm b/src/backend/BSConfiguration.pm
index 9e095a564e..2cad9bb0cb 100644
--- a/src/backend/BSConfiguration.pm
+++ b/src/backend/BSConfiguration.pm
@@ -94,4 +94,11 @@ $BSConfig::cloudupload_pubkey       = $BSConfig::cloudupload_pubkey       || '/e
 
 $BSConfig::redisserver = undef unless $BSConfig::redisserver;
 
+if (grep {($ENV{'OBS_TRUST_PRIVATE_NET'} || '') eq $_} qw(1 yes true)) {
+  $BSConfig::ipaccess->{'^172\.1[6-9]\..*'} = 'rw';
+  $BSConfig::ipaccess->{'^172\.2[0-9]\..*'} = 'rw';
+  $BSConfig::ipaccess->{'^172\.3[01]\..*'} = 'rw';
+  $BSConfig::ipaccess->{'^192\.168\..*'} = 'rw';
+}
+
 1;
-- 
GitLab