AKS / Azure Blob: Creating project from template results in `URL is blocked`
Summary
GitLab deployed on AKS considers Azure Blob as "local resource", triggering SSRF protection.
Steps to reproduce
- Spin up AKS Charts deployment with Azure Blobs object storage
- Create new project
- "From Template"
- Pick any template
Configuration used
(Please provide a sanitized version of the configuration used wrapped in a code block (```yaml))
(Paste sanitized configuration here)
TBD
Current behavior
Errors out with the following message:
URL [FILTERED] is blocked: Requests to the local network are not allowed
Expected behavior
Import being completed successfully, project getting created.
Versions
- Chart: (tagged version | branch | hash
git rev-parse HEAD
) - Platform:
- Cloud: AKS
- Kubernetes: (
kubectl version
)- Client:
- Server:
- Helm: (
helm version
)- Client:
- Server:
Relevant logs
exceptions_json.log
[
{
"severity": "ERROR",
"time": "2022-04-08T08:33:03.201Z",
"correlation_id": "01G044WAW86R15GEVF4KFN6QB4",
"exception.class": "Gitlab::HTTP::BlockedUrlError",
"exception.message": "URL 'https://REDACTED.blob.core.windows.net/gitlab-uploads/project/avatar/37/Tibco%2BSoftware%2Binc.png?sp=r&sv=2018-11-09&sr=b&se=2022-04-08T08%3A43%3A03Z&spr=https&sig=j0MCI9Rybqm7vSYDyYQxU%2BnFKUkBTIL2Mw%2BdVywCXzg%3D' is blocked: Requests to the local network are not allowed",
"exception.backtrace": [
"lib/gitlab/http_connection_adapter.rb:53:in `rescue in validate_url!'",
"lib/gitlab/http_connection_adapter.rb:47:in `validate_url!'",
"lib/gitlab/http_connection_adapter.rb:27:in `connection'",
"lib/gitlab/http.rb:50:in `perform_request'",
"lib/gitlab/import_export/command_line_util.rb:68:in `block in download'",
"lib/gitlab/import_export/command_line_util.rb:65:in `open'",
"lib/gitlab/import_export/command_line_util.rb:65:in `download'",
"lib/gitlab/import_export/command_line_util.rb:60:in `download_or_copy_upload'",
"lib/gitlab/import_export/uploads_manager.rb:88:in `download_and_copy'",
"lib/gitlab/import_export/uploads_manager.rb:55:in `block in copy_project_uploads'",
"lib/gitlab/import_export/uploads_manager.rb:68:in `each_uploader'",
"lib/gitlab/import_export/uploads_manager.rb:47:in `copy_project_uploads'",
"lib/gitlab/import_export/uploads_manager.rb:17:in `save'",
"lib/gitlab/import_export/avatar_saver.rb:18:in `save'",
"app/services/projects/import_export/export_service.rb:58:in `all?'",
"app/services/projects/import_export/export_service.rb:58:in `save_exporters'",
"app/services/projects/import_export/export_service.rb:50:in `save_all!'",
"app/services/projects/import_export/export_service.rb:20:in `execute'",
"app/services/concerns/measurable.rb:35:in `execute'",
"app/workers/project_export_worker.rb:24:in `perform'",
"lib/gitlab/database/load_balancing/sidekiq_server_middleware.rb:26:in `call'",
"lib/gitlab/sidekiq_middleware/duplicate_jobs/strategies/until_executing.rb:16:in `perform'",
"lib/gitlab/sidekiq_middleware/duplicate_jobs/duplicate_job.rb:58:in `perform'",
"lib/gitlab/sidekiq_middleware/duplicate_jobs/server.rb:8:in `call'",
"lib/gitlab/sidekiq_middleware/worker_context.rb:9:in `wrap_in_optional_context'",
"lib/gitlab/sidekiq_middleware/worker_context/server.rb:17:in `block in call'",
"lib/gitlab/application_context.rb:88:in `block in use'",
"lib/gitlab/application_context.rb:88:in `use'",
"lib/gitlab/application_context.rb:41:in `with_context'",
"lib/gitlab/sidekiq_middleware/worker_context/server.rb:15:in `call'",
"lib/gitlab/sidekiq_status/server_middleware.rb:7:in `call'",
"lib/gitlab/sidekiq_versioning/middleware.rb:9:in `call'",
"lib/gitlab/sidekiq_middleware/query_analyzer.rb:7:in `block in call'",
"lib/gitlab/database/query_analyzer.rb:46:in `within'",
"lib/gitlab/sidekiq_middleware/query_analyzer.rb:7:in `call'",
"lib/gitlab/sidekiq_middleware/admin_mode/server.rb:14:in `call'",
"lib/gitlab/sidekiq_middleware/instrumentation_logger.rb:9:in `call'",
"lib/gitlab/sidekiq_middleware/batch_loader.rb:7:in `call'",
"lib/gitlab/sidekiq_middleware/extra_done_log_metadata.rb:7:in `call'",
"lib/gitlab/sidekiq_middleware/request_store_middleware.rb:10:in `block in call'",
"lib/gitlab/with_request_store.rb:17:in `enabling_request_store'",
"lib/gitlab/with_request_store.rb:10:in `with_request_store'",
"lib/gitlab/sidekiq_middleware/request_store_middleware.rb:9:in `call'",
"lib/gitlab/sidekiq_middleware/arguments_logger.rb:8:in `call'",
"lib/gitlab/sidekiq_middleware/server_metrics.rb:74:in `block in call'",
"lib/gitlab/sidekiq_middleware/server_metrics.rb:97:in `block in instrument'",
"lib/gitlab/metrics/background_transaction.rb:33:in `run'",
"lib/gitlab/sidekiq_middleware/server_metrics.rb:97:in `instrument'",
"lib/gitlab/sidekiq_middleware/server_metrics.rb:73:in `call'",
"lib/gitlab/sidekiq_middleware/monitor.rb:10:in `block in call'",
"lib/gitlab/sidekiq_daemon/monitor.rb:49:in `within_job'",
"lib/gitlab/sidekiq_middleware/monitor.rb:9:in `call'",
"lib/gitlab/sidekiq_middleware/size_limiter/server.rb:13:in `call'"
],
"user.username": "REDACTED",
"tags.program": "sidekiq",
"tags.locale": "en",
"tags.feature_category": "importers",
"tags.correlation_id": "01G044WAW86R15GEVF4KFN6QB4",
"extra.sidekiq": {
"retry": false,
"queue": "project_template_export",
"version": 0,
"backtrace": 5,
"dead": false,
"status_expiration": 21600,
"args": [
"2",
"37",
"{\"export_into_project_id\"=>2236}",
"{}"
],
"class": "ProjectTemplateExportWorker",
"jid": "c50277b21c5459a8b00bed70",
"created_at": 1649406782.8957117,
"correlation_id": "01G044WAW86R15GEVF4KFN6QB4",
"meta.user": "REDACTED",
"meta.client_id": "user/2",
"meta.caller_id": "ProjectsController#create",
"meta.remote_ip": "REDACTED",
"meta.feature_category": "importers",
"worker_data_consistency": "always",
"idempotency_key": "resque:gitlab:duplicate:project_template_export:edf9d386d7faba1de40fbc50b4a3e3411481861ad1aab64426cd388bcd266c81",
"size_limiter": "validated",
"enqueued_at": 1649406782.9001172
}
},
{
"severity": "ERROR",
"time": "2022-04-08T08:33:03.210Z",
"correlation_id": "01G044WAW86R15GEVF4KFN6QB4",
"exception.class": "Gitlab::HTTP::BlockedUrlError",
"exception.message": "URL 'https://REDACTED.blob.core.windows.net/gitlab-uploads/project/avatar/37/Tibco%2BSoftware%2Binc.png?sp=r&sv=2018-11-09&sr=b&se=2022-04-08T08%3A43%3A03Z&spr=https&sig=j0MCI9Rybqm7vSYDyYQxU%2BnFKUkBTIL2Mw%2BdVywCXzg%3D' is blocked: Requests to the local network are not allowed",
"exception.backtrace": [
"lib/gitlab/http_connection_adapter.rb:53:in `rescue in validate_url!'",
"lib/gitlab/http_connection_adapter.rb:47:in `validate_url!'",
"lib/gitlab/http_connection_adapter.rb:27:in `connection'",
"lib/gitlab/http.rb:50:in `perform_request'",
"lib/gitlab/import_export/command_line_util.rb:68:in `block in download'",
"lib/gitlab/import_export/command_line_util.rb:65:in `open'",
"lib/gitlab/import_export/command_line_util.rb:65:in `download'",
"lib/gitlab/import_export/command_line_util.rb:60:in `download_or_copy_upload'",
"lib/gitlab/import_export/uploads_manager.rb:88:in `download_and_copy'",
"lib/gitlab/import_export/uploads_manager.rb:55:in `block in copy_project_uploads'",
"lib/gitlab/import_export/uploads_manager.rb:68:in `each_uploader'",
"lib/gitlab/import_export/uploads_manager.rb:47:in `copy_project_uploads'",
"lib/gitlab/import_export/uploads_manager.rb:17:in `save'",
"lib/gitlab/import_export/avatar_saver.rb:18:in `save'",
"app/services/projects/import_export/export_service.rb:58:in `all?'",
"app/services/projects/import_export/export_service.rb:58:in `save_exporters'",
"app/services/projects/import_export/export_service.rb:50:in `save_all!'",
"app/services/projects/import_export/export_service.rb:20:in `execute'",
"app/services/concerns/measurable.rb:35:in `execute'",
"app/workers/project_export_worker.rb:24:in `perform'",
"lib/gitlab/database/load_balancing/sidekiq_server_middleware.rb:26:in `call'",
"lib/gitlab/sidekiq_middleware/duplicate_jobs/strategies/until_executing.rb:16:in `perform'",
"lib/gitlab/sidekiq_middleware/duplicate_jobs/duplicate_job.rb:58:in `perform'",
"lib/gitlab/sidekiq_middleware/duplicate_jobs/server.rb:8:in `call'",
"lib/gitlab/sidekiq_middleware/worker_context.rb:9:in `wrap_in_optional_context'",
"lib/gitlab/sidekiq_middleware/worker_context/server.rb:17:in `block in call'",
"lib/gitlab/application_context.rb:88:in `block in use'",
"lib/gitlab/application_context.rb:88:in `use'",
"lib/gitlab/application_context.rb:41:in `with_context'",
"lib/gitlab/sidekiq_middleware/worker_context/server.rb:15:in `call'",
"lib/gitlab/sidekiq_status/server_middleware.rb:7:in `call'",
"lib/gitlab/sidekiq_versioning/middleware.rb:9:in `call'",
"lib/gitlab/sidekiq_middleware/query_analyzer.rb:7:in `block in call'",
"lib/gitlab/database/query_analyzer.rb:46:in `within'",
"lib/gitlab/sidekiq_middleware/query_analyzer.rb:7:in `call'",
"lib/gitlab/sidekiq_middleware/admin_mode/server.rb:14:in `call'",
"lib/gitlab/sidekiq_middleware/instrumentation_logger.rb:9:in `call'",
"lib/gitlab/sidekiq_middleware/batch_loader.rb:7:in `call'",
"lib/gitlab/sidekiq_middleware/extra_done_log_metadata.rb:7:in `call'",
"lib/gitlab/sidekiq_middleware/request_store_middleware.rb:10:in `block in call'",
"lib/gitlab/with_request_store.rb:17:in `enabling_request_store'",
"lib/gitlab/with_request_store.rb:10:in `with_request_store'",
"lib/gitlab/sidekiq_middleware/request_store_middleware.rb:9:in `call'",
"lib/gitlab/sidekiq_middleware/arguments_logger.rb:8:in `call'",
"lib/gitlab/sidekiq_middleware/server_metrics.rb:74:in `block in call'",
"lib/gitlab/sidekiq_middleware/server_metrics.rb:97:in `block in instrument'",
"lib/gitlab/metrics/background_transaction.rb:33:in `run'",
"lib/gitlab/sidekiq_middleware/server_metrics.rb:97:in `instrument'",
"lib/gitlab/sidekiq_middleware/server_metrics.rb:73:in `call'",
"lib/gitlab/sidekiq_middleware/monitor.rb:10:in `block in call'",
"lib/gitlab/sidekiq_daemon/monitor.rb:49:in `within_job'",
"lib/gitlab/sidekiq_middleware/monitor.rb:9:in `call'",
"lib/gitlab/sidekiq_middleware/size_limiter/server.rb:13:in `call'"
],
"user.username": "REDACTED",
"tags.program": "sidekiq",
"tags.locale": "en",
"tags.feature_category": "importers",
"tags.correlation_id": "01G044WAW86R15GEVF4KFN6QB4",
"extra.sidekiq": {
"retry": false,
"queue": "project_template_export",
"version": 0,
"backtrace": 5,
"dead": false,
"status_expiration": 21600,
"args": [
"[FILTERED]",
"[FILTERED]",
"{\"export_into_project_id\"=>2236}",
"{}"
],
"class": "ProjectTemplateExportWorker",
"jid": "c50277b21c5459a8b00bed70",
"created_at": 1649406782.8957117,
"correlation_id": "01G044WAW86R15GEVF4KFN6QB4",
"meta.user": "REDACTED",
"meta.client_id": "user/2",
"meta.caller_id": "ProjectsController#create",
"meta.remote_ip": "REDACTED",
"meta.feature_category": "importers",
"worker_data_consistency": "always",
"idempotency_key": "resque:gitlab:duplicate:project_template_export:edf9d386d7faba1de40fbc50b4a3e3411481861ad1aab64426cd388bcd266c81",
"size_limiter": "validated",
"enqueued_at": 1649406782.9001172
},
"extra.importer": "Import/Export",
"extra.exportable_id": 37,
"extra.exportable_path": "gitlab/project-templates/REDACTED",
"extra.import_jid": null
}
]