Lock net-http version to v0.1.1 (!122240) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-lock-net-http into master May 31, 2023

What does this MR do and why?

This is the version used by Ruby 3.0.6 (as seen in https://stdgems.org/net-http/ and Net::HTTP::VERSION). The updated net-http version shipped with Ruby 3.1 does not work at the moment with DNS rebinding protection: #413528 (closed)

We also need to adjust the net-http monkey patch. If we're using Ruby 3.1 with an older net-http, we still need the patch in https://github.com/ruby/net-http/pull/5.

How to set up and validate locally

In master, attempt to run Gitlab::HTTP.get('https://www.google.com') with DNS rebinding protection enabled in the application settings (default). This should fail with something like this:

[1] pry(main)> Gitlab::HTTP.get('https://www.google.com')
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=142.251.46.196:443 state=error: certificate verify failed (self-signed certificate)
from /Users/stanhu/.asdf/installs/ruby/3.1.4/lib/ruby/gems/3.1.0/gems/net-protocol-0.1.3/lib/net/protocol.rb:46:in `connect_nonblock'

With this branch, repeat step 1. This should work.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited May 31, 2023 by Stan Hu

Lock net-http version to v0.1.1

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports