From 77972b01501141c3e26e1f092c2b14ce50ecfa84 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Fri, 18 Feb 2022 18:42:12 +0000 Subject: [PATCH] Block access to Gitiles Once restarted onto the parent change, our Gerrit deployment will no longer link to Gitiles representations of changes or the Git tree. Explicitly deny access to the Gitiles URL base path in the Apache vhost config, since we can't effectively remove the plugin itself. This should help prevent search engines from finding its copies of our projects rather than the ones we want people to use in Gitea. Change-Id: I3c96221256662443f7a43344afd12194dce82b9d --- playbooks/roles/gerrit/templates/gerrit.vhost.j2 | 5 +++++ testinfra/test_gerrit.py | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/playbooks/roles/gerrit/templates/gerrit.vhost.j2 b/playbooks/roles/gerrit/templates/gerrit.vhost.j2 index 5d6a4936cf..d80e8e4ca4 100644 --- a/playbooks/roles/gerrit/templates/gerrit.vhost.j2 +++ b/playbooks/roles/gerrit/templates/gerrit.vhost.j2 @@ -61,6 +61,11 @@ #RewriteCond %{REQUEST_URI} !^/maintenance.html$ #RewriteRule ^/(.*) /maintenance.html [last,redirect=temporary] + # We can't disable this plugin, but don't want people using it + + Require all denied + + ProxyPassMatch ^/robots.txt$ ! ProxyPassMatch ^/server-status ! # Comment out these two lines if the maintenance message above is in use diff --git a/testinfra/test_gerrit.py b/testinfra/test_gerrit.py index 6dbab51e59..0cac716c77 100644 --- a/testinfra/test_gerrit.py +++ b/testinfra/test_gerrit.py @@ -65,3 +65,9 @@ def test_openinfra_cla(host): assert '200 OK' in cmd.stdout assert 'Content-Type: text/html' in cmd.stdout assert 'OpenInfra Foundation Individual Contributor License Agreement' in cmd.stdout + +def test_gitiles_blocked(host): + cmd = host.run('curl --include --insecure ' + '--resolve review.opendev.org:443:127.0.0.1 ' + 'https://review.opendev.org/plugins/gitiles/opendev/system-config/') + assert '403 Forbidden' in cmd.stdout