Merge branch 'georgekoltsov/fix-500-on-gitea-importer' into 'master'

Fix 500 in Gitea importer See merge request gitlab-org/gitlab!26166

Merge branch 'georgekoltsov/fix-500-on-gitea-importer' into 'master'
Fix 500 in Gitea importer See merge request gitlab-org/gitlab!26166
c864834c · Jarka Košanová · 88a7dc21 · 23a1168b · c864834c · c864834c
Commit c864834c authored Mar 05, 2020 by Jarka Košanová
4 changed files
--- a/app/controllers/import/gitea_controller.rb
+++ b/app/controllers/import/gitea_controller.rb
@@ -16,7 +16,13 @@ class Import::GiteaController < Import::GithubController

  # Must be defined or it will 404
  def status
-    super
+    if blocked_url?
+      session[access_token_key] = nil
+
+      redirect_to new_import_url, alert: _('Specified URL cannot be used.')
+    else
+      super
+    end
  end

  private
@@ -54,4 +60,19 @@ class Import::GiteaController < Import::GithubController
  def client_options
    { host: provider_url, api_version: 'v1' }
  end
+
+  def blocked_url?
+    Gitlab::UrlBlocker.blocked_url?(
+      provider_url,
+      {
+        allow_localhost: allow_local_requests?,
+        allow_local_network: allow_local_requests?,
+        schemes: %w(http https)
+      }
+    )
+  end
+
+  def allow_local_requests?
+    Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?
+  end
 end
--- a/changelogs/unreleased/georgekoltsov-fix-500-on-gitea-importer.yml
+++ b/changelogs/unreleased/georgekoltsov-fix-500-on-gitea-importer.yml
+---
+title: Fix 500 Error when using Gitea Importer
+merge_request: 26166
+author:
+type: fixed
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -18480,6 +18480,9 @@ msgstr ""
 msgid "Specific Runners"
 msgstr ""

+msgid "Specified URL cannot be used."
+msgstr ""
+
 msgid "Specify an e-mail address regex pattern to identify default internal users."
 msgstr ""


--- a/spec/controllers/import/gitea_controller_spec.rb
+++ b/spec/controllers/import/gitea_controller_spec.rb
@@ -28,10 +28,24 @@ describe Import::GiteaController do

  describe "GET status" do
    it_behaves_like 'a GitHub-ish import controller: GET status' do
+      let(:extra_assign_expectations) { { gitea_host_url: host_url } }
+
      before do
        assign_host_url
      end
-      let(:extra_assign_expectations) { { gitea_host_url: host_url } }
+
+      context 'when host url is local or not http' do
+        %w[https://localhost:3000 http://192.168.0.1 ftp://testing].each do |url|
+          let(:host_url) { url }
+
+          it 'denies network request' do
+            get :status, format: :json
+
+            expect(controller).to redirect_to(new_import_url)
+            expect(flash[:alert]).to eq('Specified URL cannot be used.')
+          end
+        end
+      end
    end
  end