Use hostmatcher to replace matchlist, improve security (#17605)

Use hostmacher to replace matchlist.

And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.

modules/lfs/client.go

@@ -7,6 +7,7 @@ package lfs
 import (
 	"context"
 	"io"
+	"net/http"
 	"net/url"
 )
 
@@ -24,9 +25,9 @@ type Client interface {
 }
 
 // NewClient creates a LFS client
-func NewClient(endpoint *url.URL, skipTLSVerify bool) Client {
+func NewClient(endpoint *url.URL, httpTransport *http.Transport) Client {
 	if endpoint.Scheme == "file" {
 		return newFilesystemClient(endpoint)
 	}
-	return newHTTPClient(endpoint, skipTLSVerify)
+	return newHTTPClient(endpoint, httpTransport)
 }

modules/lfs/client_test.go

@@ -13,10 +13,10 @@ import (
 
 func TestNewClient(t *testing.T) {
 	u, _ := url.Parse("file:///test")
-	c := NewClient(u, true)
+	c := NewClient(u, nil)
 	assert.IsType(t, &FilesystemClient{}, c)
 
 	u, _ = url.Parse("https://test.com/lfs")
-	c = NewClient(u, true)
+	c = NewClient(u, nil)
 	assert.IsType(t, &HTTPClient{}, c)
 }

modules/lfs/http_client.go

@@ -7,7 +7,6 @@ package lfs
 import (
 	"bytes"
 	"context"
-	"crypto/tls"
 	"errors"
 	"fmt"
 	"net/http"
@@ -34,12 +33,15 @@ func (c *HTTPClient) BatchSize() int {
 	return batchSize
 }
 
-func newHTTPClient(endpoint *url.URL, skipTLSVerify bool) *HTTPClient {
+func newHTTPClient(endpoint *url.URL, httpTransport *http.Transport) *HTTPClient {
+	if httpTransport == nil {
+		httpTransport = &http.Transport{
+			Proxy: proxy.Proxy(),
+		}
+	}
+
 	hc := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSVerify},
-			Proxy:           proxy.Proxy(),
-		},
+		Transport: httpTransport,
 	}
 
 	client := &HTTPClient{