Merge branch 'sh-block-link-local-master' into 'master'

Block link-local addresses in URLBlocker See merge request gitlab/gitlabhq!2459

Merge branch 'sh-block-link-local-master' into 'master'
Block link-local addresses in URLBlocker See merge request gitlab/gitlabhq!2459
1df7360f · José Iván Vargas López · f2a17073 · b3f75587 · 1df7360f · 1df7360f
Commit 1df7360f authored Aug 28, 2018 by José Iván Vargas López
3 changed files
--- a/changelogs/unreleased/sh-block-link-local-master.yml
+++ b/changelogs/unreleased/sh-block-link-local-master.yml
+---
+title: Block link-local addresses in URLBlocker
+merge_request:
+author:
+type: security
--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -31,6 +31,7 @@ module Gitlab
        validate_localhost!(addrs_info) unless allow_localhost
        validate_local_network!(addrs_info) unless allow_local_network
+        validate_link_local!(addrs_info) unless allow_local_network
        true
      end
@@ -89,6 +90,13 @@ module Gitlab
        raise BlockedUrlError, "Requests to the local network are not allowed"
      end
+      def validate_link_local!(addrs_info)
+        netmask = IPAddr.new('169.254.0.0/16')
+        return unless addrs_info.any? { |addr| addr.ipv6_linklocal? || netmask.include?(addr.ip_address) }
+        raise BlockedUrlError, "Requests to the link local network are not allowed"
+      end
      def internal?(uri)
        internal_web?(uri) || internal_shell?(uri)
      end

--- a/spec/lib/gitlab/url_blocker_spec.rb
+++ b/spec/lib/gitlab/url_blocker_spec.rb
+# coding: utf-8
 require 'spec_helper'
 describe Gitlab::UrlBlocker do
@@ -82,6 +83,17 @@ describe Gitlab::UrlBlocker do
            expect(described_class).not_to be_blocked_url("http://#{ip}")
          end
        end
+        it 'allows IPv4 link-local endpoints' do
+          expect(described_class).not_to be_blocked_url('http://169.254.169.254')
+          expect(described_class).not_to be_blocked_url('http://169.254.168.100')
+        end
+        # This is blocked due to the hostname check: https://gitlab.com/gitlab-org/gitlab-ce/issues/50227
+        it 'blocks IPv6 link-local endpoints' do
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]')
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]')
+        end
      end
      context 'false' do
@@ -96,10 +108,21 @@ describe Gitlab::UrlBlocker do
            expect(described_class).to be_blocked_url("http://#{ip}", allow_local_network: false)
          end
        end
+        it 'blocks IPv4 link-local endpoints' do
+          expect(described_class).to be_blocked_url('http://169.254.169.254', allow_local_network: false)
+          expect(described_class).to be_blocked_url('http://169.254.168.100', allow_local_network: false)
+        end
+        it 'blocks IPv6 link-local endpoints' do
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]', allow_local_network: false)
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]', allow_local_network: false)
+          expect(described_class).to be_blocked_url('http://[FE80::C800:EFF:FE74:8]', allow_local_network: false)
+        end
      end
      def stub_domain_resolv(domain, ip)
-        allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true)])
+        allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true, ipv6_link_local?: false)])
      end
      def unstub_domain_resolv