Merge branch 'mk-backport-security-fixes-to-master' into 'master'

Backport 10.1.2 security fixes to master See merge request gitlab-org/gitlab-ee!3318

Merge branch 'mk-backport-security-fixes-to-master' into 'master'
Backport 10.1.2 security fixes to master See merge request gitlab-org/gitlab-ee!3318
19df69b2 · Douwe Maan · c943ef46 · d55e091e · 19df69b2 · 19df69b2
Commit 19df69b2 authored Nov 09, 2017 by Douwe Maan
8 changed files
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@@ -70,7 +70,10 @@ module API
      mount ::API::V3::Github
    end

-    before { header['X-Frame-Options'] = 'SAMEORIGIN' }
+    before do
+      header['X-Frame-Options'] = 'SAMEORIGIN'
+      header['X-Content-Type-Options'] = 'nosniff'
+    end

    # The locale is set to the current user's locale when `current_user` is loaded
    after { Gitlab::I18n.use_default_locale }

--- a/lib/gitlab/geo/base_request.rb
+++ b/lib/gitlab/geo/base_request.rb
@@ -26,10 +26,10 @@ module Gitlab
        geo_node = requesting_node
        raise GeoNodeNotFoundError unless geo_node

-        payload = { data: message.to_json, iat: Time.now.to_i }
-        token = JWT.encode(payload, geo_node.secret_access_key, 'HS256')
+        token = JSONWebToken::HMACToken.new(geo_node.secret_access_key)
+        token[:data] = message.to_json

-        "#{GITLAB_GEO_AUTH_TOKEN_TYPE} #{geo_node.access_key}:#{token}"
+        "#{GITLAB_GEO_AUTH_TOKEN_TYPE} #{geo_node.access_key}:#{token.encoded}"
      end

      def requesting_node

--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -22,10 +22,12 @@ module Gitlab
          return true if blocked_user_or_hostname?(uri.user)
          return true if blocked_user_or_hostname?(uri.hostname)

-          server_ips = Resolv.getaddresses(uri.hostname)
+          server_ips = Addrinfo.getaddrinfo(uri.hostname, 80, nil, :STREAM).map(&:ip_address)
          return true if (blocked_ips & server_ips).any?
        rescue Addressable::URI::InvalidURIError
          return true
+        rescue SocketError
+          return false
        end

        false

--- a/lib/json_web_token/hmac_token.rb
+++ b/lib/json_web_token/hmac_token.rb
+module JSONWebToken
+  class HMACToken < Token
+    def initialize(secret)
+      super()
+
+      @secret = secret
+    end
+
+    def encoded
+      JWT.encode(payload, @secret, 'HS256')
+    end
+  end
+end
--- a/spec/lib/gitlab/geo/jwt_request_decoder_spec.rb
+++ b/spec/lib/gitlab/geo/jwt_request_decoder_spec.rb
@@ -33,7 +33,13 @@ describe Gitlab::Geo::JwtRequestDecoder do
      Timecop.travel(30.seconds.ago) { expect(subject.decode).to eq(data) }
    end

-    it 'returns nil when clocks are not in sync' do
+    it 'fails to decode after expiring' do
+      subject
+
+      Timecop.travel(2.minutes) { expect(subject.decode).to be_nil }
+    end
+
+    it 'fails to decode when clocks are not in sync' do
      subject

      Timecop.travel(2.minutes.ago) { expect(subject.decode).to be_nil }

--- a/spec/lib/gitlab/url_blocker_spec.rb
+++ b/spec/lib/gitlab/url_blocker_spec.rb
@@ -20,6 +20,22 @@ describe Gitlab::UrlBlocker do
      expect(described_class.blocked_url?('https://gitlab.com:25/foo/foo.git')).to be true
    end

+    it 'returns true for alternative version of 127.0.0.1 (0177.1)' do
+      expect(described_class.blocked_url?('https://0177.1:65535/foo/foo.git')).to be true
+    end
+
+    it 'returns true for alternative version of 127.0.0.1 (0x7f.1)' do
+      expect(described_class.blocked_url?('https://0x7f.1:65535/foo/foo.git')).to be true
+    end
+
+    it 'returns true for alternative version of 127.0.0.1 (2130706433)' do
+      expect(described_class.blocked_url?('https://2130706433:65535/foo/foo.git')).to be true
+    end
+
+    it 'returns true for alternative version of 127.0.0.1 (127.000.000.001)' do
+      expect(described_class.blocked_url?('https://127.000.000.001:65535/foo/foo.git')).to be true
+    end
+
    it 'returns true for a non-alphanumeric hostname' do
      stub_resolv


--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -50,6 +50,12 @@ describe API::Projects do
        expect(json_response).to be_an Array
        expect(json_response.map { |p| p['id'] }).to contain_exactly(*projects.map(&:id))
      end
+
+      it 'returns the proper security headers' do
+        get api('/projects', current_user), filter
+
+        expect(response).to include_security_headers
+      end
    end

    shared_examples_for 'projects response without N + 1 queries' do

--- a/spec/support/matchers/security_header_matcher.rb
+++ b/spec/support/matchers/security_header_matcher.rb
+RSpec::Matchers.define :include_security_headers do |expected|
+  match do |actual|
+    expect(actual.headers).to include('X-Content-Type-Options')
+  end
+end