[Code] Add git clone url host and protocol whitelist (#33371)

Author: mw-ding

x-pack/plugins/code/common/git_url_utils.test.ts

@@ -31,4 +31,15 @@ test('Git url validation', () => {
   // An url without protocol
   expect(isValidGitUrl('/Users/elastic/elasticsearch')).toBeFalsy();
   expect(isValidGitUrl('github.com/elastic/elasticsearch')).toBeFalsy();
+
+  // An valid git url but without whitelisted host
+  expect(isValidGitUrl('https://github.com/elastic/elasticsearch.git', ['gitlab.com'])).toBeFalsy();
+
+  // An valid git url but without whitelisted protocol
+  expect(isValidGitUrl('https://github.com/elastic/elasticsearch.git', [], ['ssh'])).toBeFalsy();
+
+  // An valid git url with both whitelisted host and protocol
+  expect(
+    isValidGitUrl('https://github.com/elastic/elasticsearch.git', ['github.com'], ['https'])
+  ).toBeTruthy();
 });

x-pack/plugins/code/common/git_url_utils.ts

@@ -4,7 +4,33 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export function isValidGitUrl(url: string): boolean {
+import GitUrlParse from 'git-url-parse';
+
+export function isValidGitUrl(
+  url: string,
+  hostWhitelist?: string[],
+  protocolWhitelist?: string[]
+): boolean {
   const regex = /(?:git|ssh|https?|git@[-\w.]+):(\/\/)?(.*?)(\.git)?(\/?|\#[-\d\w._]+?)$/;
-  return regex.test(url);
+  const isPatternValid = regex.test(url);
+
+  if (!isPatternValid) {
+    return false;
+  }
+
+  const repo = GitUrlParse(url);
+
+  let isHostValid = true;
+  if (hostWhitelist && hostWhitelist.length > 0) {
+    const hostSet = new Set(hostWhitelist);
+    isHostValid = hostSet.has(repo.source);
+  }
+
+  let isProtocolValid = true;
+  if (protocolWhitelist && protocolWhitelist.length > 0) {
+    const protocolSet = new Set(protocolWhitelist);
+    isProtocolValid = protocolSet.has(repo.protocol);
+  }
+
+  return isHostValid && isProtocolValid;
 }

x-pack/plugins/code/index.ts

@@ -55,6 +55,12 @@ export const code = (kibana: any) =>
           enableMavenImport: Joi.boolean().default(true),
           enableGradleImport: Joi.boolean().default(true),
           installNodeDependency: Joi.boolean().default(true),
+          gitHostWhitelist: Joi.array()
+            .items(Joi.string())
+            .default([]),
+          gitProtocolWhitelist: Joi.array()
+            .items(Joi.string())
+            .default([]),
         }).default(),
         maxWorkspace: Joi.number().default(5), // max workspace folder for each language server
         disableScheduler: Joi.boolean().default(true), // Temp option to disable all schedulers.

x-pack/plugins/code/server/init.ts

@@ -221,7 +221,8 @@ async function initCodeNode(server: Server, serverOptions: ServerOptions, log: L
     deleteWorker,
     indexWorker,
     repoIndexInitializerFactory,
-    repoConfigController
+    repoConfigController,
+    serverOptions
   );
   repositorySearchRoute(server, log);
   documentSearchRoute(server, log);

x-pack/plugins/code/server/queue/clone_worker.ts

@@ -38,7 +38,13 @@ export class CloneWorker extends AbstractGitWorker {
 
   public async executeJob(job: Job) {
     const { url } = job.payload;
-    if (!isValidGitUrl(url)) {
+    if (
+      !isValidGitUrl(
+        url,
+        this.serverOptions.security.gitHostWhitelist,
+        this.serverOptions.security.gitProtocolWhitelist
+      )
+    ) {
       this.log.error(`Invalid git url ${url}`);
       return {
         uri: url,

x-pack/plugins/code/server/routes/repository.ts

@@ -15,6 +15,7 @@ import { Logger } from '../log';
 import { CloneWorker, DeleteWorker, IndexWorker } from '../queue';
 import { RepositoryConfigController } from '../repository_config_controller';
 import { RepositoryObjectClient } from '../search';
+import { ServerOptions } from '../server_options';
 import { EsClientWithRequest } from '../utils/esclient_with_request';
 
 export function repositoryRoute(
@@ -23,7 +24,8 @@ export function repositoryRoute(
   deleteWorker: DeleteWorker,
   indexWorker: IndexWorker,
   repoIndexInitializerFactory: RepositoryIndexInitializerFactory,
-  repoConfigController: RepositoryConfigController
+  repoConfigController: RepositoryConfigController,
+  options: ServerOptions
 ) {
   // Clone a git repository
   server.securedRoute({
@@ -35,7 +37,13 @@ export function repositoryRoute(
       const log = new Logger(req.server);
 
       // Reject the request if the url is an invalid git url.
-      if (!isValidGitUrl(repoUrl)) {
+      if (
+        !isValidGitUrl(
+          repoUrl,
+          options.security.gitHostWhitelist,
+          options.security.gitProtocolWhitelist
+        )
+      ) {
         return Boom.badRequest('Invalid git url.');
       }
 

x-pack/plugins/code/server/server_options.ts

@@ -17,6 +17,8 @@ export interface SecurityOptions {
   enableMavenImport: boolean;
   enableGradleImport: boolean;
   installNodeDependency: boolean;
+  gitHostWhitelist: string[];
+  gitProtocolWhitelist: string[];
 }
 
 export class ServerOptions {