Merge 10-1-stable into 10-1-stable-ee

fef0f650 · Winnie Hellmann · Michael Kozono · c943ef46 · fef0f650 · fef0f650
Commit fef0f650 authored Nov 07, 2017 by Winnie Hellmann Committed by Michael Kozono Nov 08, 2017
5 changed files
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@@ -70,7 +70,10 @@ module API
      mount ::API::V3::Github
    end

-    before { header['X-Frame-Options'] = 'SAMEORIGIN' }
+    before do
+      header['X-Frame-Options'] = 'SAMEORIGIN'
+      header['X-Content-Type-Options'] = 'nosniff'
+    end

    # The locale is set to the current user's locale when `current_user` is loaded
    after { Gitlab::I18n.use_default_locale }

--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -22,10 +22,12 @@ module Gitlab
          return true if blocked_user_or_hostname?(uri.user)
          return true if blocked_user_or_hostname?(uri.hostname)

-          server_ips = Resolv.getaddresses(uri.hostname)
+          server_ips = Addrinfo.getaddrinfo(uri.hostname, 80, nil, :STREAM).map(&:ip_address)
          return true if (blocked_ips & server_ips).any?
        rescue Addressable::URI::InvalidURIError
          return true
+        rescue SocketError
+          return false
        end

        false

--- a/spec/lib/gitlab/url_blocker_spec.rb
+++ b/spec/lib/gitlab/url_blocker_spec.rb
@@ -20,6 +20,22 @@ describe Gitlab::UrlBlocker do
      expect(described_class.blocked_url?('https://gitlab.com:25/foo/foo.git')).to be true
    end

+    it 'returns true for alternative version of 127.0.0.1 (0177.1)' do
+      expect(described_class.blocked_url?('https://0177.1:65535/foo/foo.git')).to be true
+    end
+
+    it 'returns true for alternative version of 127.0.0.1 (0x7f.1)' do
+      expect(described_class.blocked_url?('https://0x7f.1:65535/foo/foo.git')).to be true
+    end
+
+    it 'returns true for alternative version of 127.0.0.1 (2130706433)' do
+      expect(described_class.blocked_url?('https://2130706433:65535/foo/foo.git')).to be true
+    end
+
+    it 'returns true for alternative version of 127.0.0.1 (127.000.000.001)' do
+      expect(described_class.blocked_url?('https://127.000.000.001:65535/foo/foo.git')).to be true
+    end
+
    it 'returns true for a non-alphanumeric hostname' do
      stub_resolv


--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -50,6 +50,12 @@ describe API::Projects do
        expect(json_response).to be_an Array
        expect(json_response.map { |p| p['id'] }).to contain_exactly(*projects.map(&:id))
      end
+
+      it 'returns the proper security headers' do
+        get api('/projects', current_user), filter
+
+        expect(response).to include_security_headers
+      end
    end

    shared_examples_for 'projects response without N + 1 queries' do

--- a/spec/support/matchers/security_header_matcher.rb
+++ b/spec/support/matchers/security_header_matcher.rb
+RSpec::Matchers.define :include_security_headers do |expected|
+  match do |actual|
+    expect(actual.headers).to include('X-Content-Type-Options')
+  end
+end