Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
b290d929
Commit
b290d929
authored
Apr 02, 2018
by
Douwe Maan
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Rename allow_private_networks to allow_local_network
parent
b95918dd
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
12 additions
and
14 deletions
+12
-14
app/validators/importable_url_validator.rb
app/validators/importable_url_validator.rb
+3
-5
lib/gitlab/proxy_http_connection_adapter.rb
lib/gitlab/proxy_http_connection_adapter.rb
+1
-1
lib/gitlab/url_blocker.rb
lib/gitlab/url_blocker.rb
+2
-2
spec/lib/gitlab/url_blocker_spec.rb
spec/lib/gitlab/url_blocker_spec.rb
+6
-6
No files found.
app/validators/importable_url_validator.rb
View file @
b290d929
...
@@ -4,10 +4,8 @@
...
@@ -4,10 +4,8 @@
# protect against Server-side Request Forgery (SSRF).
# protect against Server-side Request Forgery (SSRF).
class
ImportableUrlValidator
<
ActiveModel
::
EachValidator
class
ImportableUrlValidator
<
ActiveModel
::
EachValidator
def
validate_each
(
record
,
attribute
,
value
)
def
validate_each
(
record
,
attribute
,
value
)
begin
Gitlab
::
UrlBlocker
.
validate!
(
value
,
valid_ports:
Project
::
VALID_IMPORT_PORTS
)
Gitlab
::
UrlBlocker
.
validate!
(
value
,
valid_ports:
Project
::
VALID_IMPORT_PORTS
)
rescue
Gitlab
::
UrlBlocker
::
BlockedUrlError
=>
e
rescue
Gitlab
::
UrlBlocker
::
BlockedUrlError
=>
e
record
.
errors
.
add
(
attribute
,
"is blocked:
#{
e
.
message
}
"
)
record
.
errors
.
add
(
attribute
,
"is blocked:
#{
e
.
message
}
"
)
end
end
end
end
end
lib/gitlab/proxy_http_connection_adapter.rb
View file @
b290d929
...
@@ -12,7 +12,7 @@ module Gitlab
...
@@ -12,7 +12,7 @@ module Gitlab
def
connection
def
connection
unless
allow_local_requests?
unless
allow_local_requests?
begin
begin
Gitlab
::
UrlBlocker
.
validate!
(
uri
,
allow_
private_networks
:
false
)
Gitlab
::
UrlBlocker
.
validate!
(
uri
,
allow_
local_network
:
false
)
rescue
Gitlab
::
UrlBlocker
::
BlockedUrlError
=>
e
rescue
Gitlab
::
UrlBlocker
::
BlockedUrlError
=>
e
raise
Gitlab
::
HTTP
::
BlockedUrlError
,
"URL '
#{
uri
}
' is blocked:
#{
e
.
message
}
"
raise
Gitlab
::
HTTP
::
BlockedUrlError
,
"URL '
#{
uri
}
' is blocked:
#{
e
.
message
}
"
end
end
...
...
lib/gitlab/url_blocker.rb
View file @
b290d929
...
@@ -5,7 +5,7 @@ module Gitlab
...
@@ -5,7 +5,7 @@ module Gitlab
BlockedUrlError
=
Class
.
new
(
StandardError
)
BlockedUrlError
=
Class
.
new
(
StandardError
)
class
<<
self
class
<<
self
def
validate!
(
url
,
allow_localhost:
false
,
allow_
private_networks
:
true
,
valid_ports:
[])
def
validate!
(
url
,
allow_localhost:
false
,
allow_
local_network
:
true
,
valid_ports:
[])
return
true
if
url
.
nil?
return
true
if
url
.
nil?
begin
begin
...
@@ -29,7 +29,7 @@ module Gitlab
...
@@ -29,7 +29,7 @@ module Gitlab
end
end
validate_localhost!
(
addrs_info
)
unless
allow_localhost
validate_localhost!
(
addrs_info
)
unless
allow_localhost
validate_local_network!
(
addrs_info
)
unless
allow_
private_networks
validate_local_network!
(
addrs_info
)
unless
allow_
local_network
true
true
end
end
...
...
spec/lib/gitlab/url_blocker_spec.rb
View file @
b290d929
...
@@ -74,13 +74,13 @@ describe Gitlab::UrlBlocker do
...
@@ -74,13 +74,13 @@ describe Gitlab::UrlBlocker do
expect
(
described_class
.
blocked_url?
(
'https://gitlab.com/foo/foo.git'
)).
to
be
false
expect
(
described_class
.
blocked_url?
(
'https://gitlab.com/foo/foo.git'
)).
to
be
false
end
end
context
'when allow_
private_networks
is'
do
context
'when allow_
local_network
is'
do
let
(
:
private_network
s
)
{
[
'192.168.1.2'
,
'10.0.0.2'
,
'172.16.0.2'
]
}
let
(
:
local_ip
s
)
{
[
'192.168.1.2'
,
'10.0.0.2'
,
'172.16.0.2'
]
}
let
(
:fake_domain
)
{
'www.fakedomain.fake'
}
let
(
:fake_domain
)
{
'www.fakedomain.fake'
}
context
'true (default)'
do
context
'true (default)'
do
it
'does not block urls from private networks'
do
it
'does not block urls from private networks'
do
private_network
s
.
each
do
|
ip
|
local_ip
s
.
each
do
|
ip
|
stub_domain_resolv
(
fake_domain
,
ip
)
stub_domain_resolv
(
fake_domain
,
ip
)
expect
(
described_class
).
not_to
be_blocked_url
(
"http://
#{
fake_domain
}
"
)
expect
(
described_class
).
not_to
be_blocked_url
(
"http://
#{
fake_domain
}
"
)
...
@@ -94,14 +94,14 @@ describe Gitlab::UrlBlocker do
...
@@ -94,14 +94,14 @@ describe Gitlab::UrlBlocker do
context
'false'
do
context
'false'
do
it
'blocks urls from private networks'
do
it
'blocks urls from private networks'
do
private_network
s
.
each
do
|
ip
|
local_ip
s
.
each
do
|
ip
|
stub_domain_resolv
(
fake_domain
,
ip
)
stub_domain_resolv
(
fake_domain
,
ip
)
expect
(
described_class
).
to
be_blocked_url
(
"http://
#{
fake_domain
}
"
,
allow_
private_networks
:
false
)
expect
(
described_class
).
to
be_blocked_url
(
"http://
#{
fake_domain
}
"
,
allow_
local_network
:
false
)
unstub_domain_resolv
unstub_domain_resolv
expect
(
described_class
).
to
be_blocked_url
(
"http://
#{
ip
}
"
,
allow_
private_networks
:
false
)
expect
(
described_class
).
to
be_blocked_url
(
"http://
#{
ip
}
"
,
allow_
local_network
:
false
)
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment