Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
63c48f73
Commit
63c48f73
authored
Dec 10, 2018
by
Francisco Javier López
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Replaced UrlValidator with PublicUrlValidator for import_url and remote mirror urls
parent
5c5a5992
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
30 additions
and
5 deletions
+30
-5
app/models/project.rb
app/models/project.rb
+3
-4
app/models/remote_mirror.rb
app/models/remote_mirror.rb
+1
-1
changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml
...unreleased/security-fix-ssrf-import-url-remote-mirror.yml
+5
-0
spec/models/project_spec.rb
spec/models/project_spec.rb
+7
-0
spec/models/remote_mirror_spec.rb
spec/models/remote_mirror_spec.rb
+14
-0
No files found.
app/models/project.rb
View file @
63c48f73
...
@@ -324,10 +324,9 @@ class Project < ActiveRecord::Base
...
@@ -324,10 +324,9 @@ class Project < ActiveRecord::Base
validates
:namespace
,
presence:
true
validates
:namespace
,
presence:
true
validates
:name
,
uniqueness:
{
scope: :namespace_id
}
validates
:name
,
uniqueness:
{
scope: :namespace_id
}
validates
:import_url
,
url:
{
protocols:
->
(
project
)
{
project
.
persisted?
?
VALID_MIRROR_PROTOCOLS
:
VALID_IMPORT_PROTOCOLS
},
validates
:import_url
,
public_url:
{
protocols:
->
(
project
)
{
project
.
persisted?
?
VALID_MIRROR_PROTOCOLS
:
VALID_IMPORT_PROTOCOLS
},
ports:
->
(
project
)
{
project
.
persisted?
?
VALID_MIRROR_PORTS
:
VALID_IMPORT_PORTS
},
ports:
->
(
project
)
{
project
.
persisted?
?
VALID_MIRROR_PORTS
:
VALID_IMPORT_PORTS
},
allow_localhost:
false
,
enforce_user:
true
},
if:
[
:external_import?
,
:import_url_changed?
]
enforce_user:
true
},
if:
[
:external_import?
,
:import_url_changed?
]
validates
:star_count
,
numericality:
{
greater_than_or_equal_to:
0
}
validates
:star_count
,
numericality:
{
greater_than_or_equal_to:
0
}
validate
:check_limit
,
on: :create
validate
:check_limit
,
on: :create
validate
:check_repository_path_availability
,
on: :update
,
if:
->
(
project
)
{
project
.
renamed?
}
validate
:check_repository_path_availability
,
on: :update
,
if:
->
(
project
)
{
project
.
renamed?
}
...
...
app/models/remote_mirror.rb
View file @
63c48f73
...
@@ -17,7 +17,7 @@ class RemoteMirror < ActiveRecord::Base
...
@@ -17,7 +17,7 @@ class RemoteMirror < ActiveRecord::Base
belongs_to
:project
,
inverse_of: :remote_mirrors
belongs_to
:project
,
inverse_of: :remote_mirrors
validates
:url
,
presence:
true
,
url:
{
protocols:
%w(ssh git http https)
,
allow_blank:
true
,
enforce_user:
true
}
validates
:url
,
presence:
true
,
public_
url:
{
protocols:
%w(ssh git http https)
,
allow_blank:
true
,
enforce_user:
true
}
before_save
:set_new_remote_name
,
if: :mirror_url_changed?
before_save
:set_new_remote_name
,
if: :mirror_url_changed?
...
...
changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml
0 → 100644
View file @
63c48f73
---
title
:
Fix SSRF with import_url and remote mirror url
merge_request
:
author
:
type
:
security
spec/models/project_spec.rb
View file @
63c48f73
...
@@ -314,6 +314,13 @@ describe Project do
...
@@ -314,6 +314,13 @@ describe Project do
expect
(
project
.
errors
[
:import_url
].
first
).
to
include
(
'Requests to localhost are not allowed'
)
expect
(
project
.
errors
[
:import_url
].
first
).
to
include
(
'Requests to localhost are not allowed'
)
end
end
it
'does not allow import_url pointing to the local network'
do
project
=
build
(
:project
,
import_url:
'https://192.168.1.1'
)
expect
(
project
).
to
be_invalid
expect
(
project
.
errors
[
:import_url
].
first
).
to
include
(
'Requests to the local network are not allowed'
)
end
it
"does not allow import_url with invalid ports for new projects"
do
it
"does not allow import_url with invalid ports for new projects"
do
project
=
build
(
:project
,
import_url:
'http://github.com:25/t.git'
)
project
=
build
(
:project
,
import_url:
'http://github.com:25/t.git'
)
...
...
spec/models/remote_mirror_spec.rb
View file @
63c48f73
...
@@ -24,6 +24,20 @@ describe RemoteMirror do
...
@@ -24,6 +24,20 @@ describe RemoteMirror do
expect
(
remote_mirror
).
to
be_invalid
expect
(
remote_mirror
).
to
be_invalid
expect
(
remote_mirror
.
errors
[
:url
].
first
).
to
include
(
'Username needs to start with an alphanumeric character'
)
expect
(
remote_mirror
.
errors
[
:url
].
first
).
to
include
(
'Username needs to start with an alphanumeric character'
)
end
end
it
'does not allow url pointing to localhost'
do
remote_mirror
=
build
(
:remote_mirror
,
url:
'http://127.0.0.2/t.git'
)
expect
(
remote_mirror
).
to
be_invalid
expect
(
remote_mirror
.
errors
[
:url
].
first
).
to
include
(
'Requests to loopback addresses are not allowed'
)
end
it
'does not allow url pointing to the local network'
do
remote_mirror
=
build
(
:remote_mirror
,
url:
'https://192.168.1.1'
)
expect
(
remote_mirror
).
to
be_invalid
expect
(
remote_mirror
.
errors
[
:url
].
first
).
to
include
(
'Requests to the local network are not allowed'
)
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment