gitlab-org--gitlab-foss/spec/lib/gitlab/url_blocker_spec.rb

# coding: utf-8
require 'spec_helper'

describe Gitlab::UrlBlocker do
  describe '#blocked_url?' do
    let(:ports) { Project::VALID_IMPORT_PORTS }

    it 'allows imports from configured web host and port' do
      import_url = "http://#{Gitlab.config.gitlab.host}:#{Gitlab.config.gitlab.port}/t.git"
      expect(described_class.blocked_url?(import_url)).to be false
    end

    it 'allows mirroring from configured SSH host and port' do
      import_url = "ssh://#{Gitlab.config.gitlab_shell.ssh_host}:#{Gitlab.config.gitlab_shell.ssh_port}/t.git"
      expect(described_class.blocked_url?(import_url)).to be false
    end

    it 'returns true for bad localhost hostname' do
      expect(described_class.blocked_url?('https://localhost:65535/foo/foo.git')).to be true
    end

    it 'returns true for bad port' do
      expect(described_class.blocked_url?('https://gitlab.com:25/foo/foo.git', ports: ports)).to be true
    end

    it 'returns true for bad protocol' do
      expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git', protocols: ['https'])).to be false
      expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git')).to be false
      expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git', protocols: ['http'])).to be true
    end

    it 'returns true for bad protocol on configured web/SSH host and ports' do
      web_url = "javascript://#{Gitlab.config.gitlab.host}:#{Gitlab.config.gitlab.port}/t.git%0aalert(1)"
      expect(described_class.blocked_url?(web_url)).to be true

      ssh_url = "javascript://#{Gitlab.config.gitlab_shell.ssh_host}:#{Gitlab.config.gitlab_shell.ssh_port}/t.git%0aalert(1)"
      expect(described_class.blocked_url?(ssh_url)).to be true
    end

    it 'returns true for localhost IPs' do
      expect(described_class.blocked_url?('https://0.0.0.0/foo/foo.git')).to be true
      expect(described_class.blocked_url?('https://[::1]/foo/foo.git')).to be true
      expect(described_class.blocked_url?('https://127.0.0.1/foo/foo.git')).to be true
    end

    it 'returns true for loopback IP' do
      expect(described_class.blocked_url?('https://127.0.0.2/foo/foo.git')).to be true
    end

    it 'returns true for alternative version of 127.0.0.1 (0177.1)' do
      expect(described_class.blocked_url?('https://0177.1:65535/foo/foo.git')).to be true
    end

    it 'returns true for alternative version of 127.0.0.1 (0x7f.1)' do
      expect(described_class.blocked_url?('https://0x7f.1:65535/foo/foo.git')).to be true
    end

    it 'returns true for alternative version of 127.0.0.1 (2130706433)' do
      expect(described_class.blocked_url?('https://2130706433:65535/foo/foo.git')).to be true
    end

    it 'returns true for alternative version of 127.0.0.1 (127.000.000.001)' do
      expect(described_class.blocked_url?('https://127.000.000.001:65535/foo/foo.git')).to be true
    end

    it 'returns true for a non-alphanumeric hostname' do
      stub_resolv

      aggregate_failures do
        expect(described_class).to be_blocked_url('ssh://-oProxyCommand=whoami/a')

        # The leading character here is a Unicode "soft hyphen"
        expect(described_class).to be_blocked_url('ssh://oProxyCommand=whoami/a')

        # Unicode alphanumerics are allowed
        expect(described_class).not_to be_blocked_url('ssh://ğitlab.com/a')
      end
    end

    it 'returns true for invalid URL' do
      expect(described_class.blocked_url?('http://:8080')).to be true
    end

    it 'returns false for legitimate URL' do
      expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git')).to be false
    end

    context 'when allow_local_network is' do
      let(:local_ips) { ['192.168.1.2', '10.0.0.2', '172.16.0.2'] }
      let(:fake_domain) { 'www.fakedomain.fake' }

      context 'true (default)' do
        it 'does not block urls from private networks' do
          local_ips.each do |ip|
            stub_domain_resolv(fake_domain, ip)

            expect(described_class).not_to be_blocked_url("http://#{fake_domain}")

            unstub_domain_resolv

            expect(described_class).not_to be_blocked_url("http://#{ip}")
          end
        end

        it 'allows localhost endpoints' do
          expect(described_class).not_to be_blocked_url('http://0.0.0.0', allow_localhost: true)
          expect(described_class).not_to be_blocked_url('http://localhost', allow_localhost: true)
          expect(described_class).not_to be_blocked_url('http://127.0.0.1', allow_localhost: true)
        end

        it 'allows loopback endpoints' do
          expect(described_class).not_to be_blocked_url('http://127.0.0.2', allow_localhost: true)
        end

        it 'allows IPv4 link-local endpoints' do
          expect(described_class).not_to be_blocked_url('http://169.254.169.254')
          expect(described_class).not_to be_blocked_url('http://169.254.168.100')
        end

        # This is blocked due to the hostname check: https://gitlab.com/gitlab-org/gitlab-ce/issues/50227
        it 'blocks IPv6 link-local endpoints' do
          expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]')
          expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]')
        end
      end

      context 'false' do
        it 'blocks urls from private networks' do
          local_ips.each do |ip|
            stub_domain_resolv(fake_domain, ip)

            expect(described_class).to be_blocked_url("http://#{fake_domain}", allow_local_network: false)

            unstub_domain_resolv

            expect(described_class).to be_blocked_url("http://#{ip}", allow_local_network: false)
          end
        end

        it 'blocks IPv4 link-local endpoints' do
          expect(described_class).to be_blocked_url('http://169.254.169.254', allow_local_network: false)
          expect(described_class).to be_blocked_url('http://169.254.168.100', allow_local_network: false)
        end

        it 'blocks IPv6 link-local endpoints' do
          expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]', allow_local_network: false)
          expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]', allow_local_network: false)
          expect(described_class).to be_blocked_url('http://[FE80::C800:EFF:FE74:8]', allow_local_network: false)
        end
      end

      def stub_domain_resolv(domain, ip)
        allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true, ipv6_link_local?: false, ipv4_loopback?: false, ipv6_loopback?: false)])
      end

      def unstub_domain_resolv
        allow(Addrinfo).to receive(:getaddrinfo).and_call_original
      end
    end

    context 'when enforce_user is' do
      before do
        stub_resolv
      end

      context 'false (default)' do
        it 'does not block urls with a non-alphanumeric username' do
          expect(described_class).not_to be_blocked_url('ssh://-oProxyCommand=whoami@example.com/a')

          # The leading character here is a Unicode "soft hyphen"
          expect(described_class).not_to be_blocked_url('ssh://oProxyCommand=whoami@example.com/a')

          # Unicode alphanumerics are allowed
          expect(described_class).not_to be_blocked_url('ssh://ğitlab@example.com/a')
        end
      end

      context 'true' do
        it 'blocks urls with a non-alphanumeric username' do
          aggregate_failures do
            expect(described_class).to be_blocked_url('ssh://-oProxyCommand=whoami@example.com/a', enforce_user: true)

            # The leading character here is a Unicode "soft hyphen"
            expect(described_class).to be_blocked_url('ssh://oProxyCommand=whoami@example.com/a', enforce_user: true)

            # Unicode alphanumerics are allowed
            expect(described_class).not_to be_blocked_url('ssh://ğitlab@example.com/a', enforce_user: true)
          end
        end
      end
    end
  end

  # Resolv does not support resolving UTF-8 domain names
  # See https://bugs.ruby-lang.org/issues/4270
  def stub_resolv
    allow(Resolv).to receive(:getaddresses).and_return([])
  end
end
-												Block link-local addresses in URLBlocker

Closes https://gitlab.com/gitlab-com/migration/issues/766

											
										
										
											2018-08-11 10:38:21 +00:00
+								# coding: utf-8
-												Merge branch 'ssrf' into 'security'

Protect server against SSRF in project import URLs

See merge request !2068
											
										
										
											2017-03-15 20:09:08 +00:00
+								require 'spec_helper'
-												Remove superfluous lib: true, type: redis, service: true, models: true, services: true, no_db: true, api: true

Signed-off-by: Rémy Coutable <remy@rymai.me>

											
										
										
											2017-07-10 14:24:02 +00:00
+								describe Gitlab::UrlBlocker do
-												Merge branch 'ssrf' into 'security'

Protect server against SSRF in project import URLs

See merge request !2068
											
										
										
											2017-03-15 20:09:08 +00:00
+								  describe '#blocked_url?' do
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								    let(:ports) { Project::VALID_IMPORT_PORTS }
-												Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'

Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337
											
										
										
											2018-03-13 22:38:25 +00:00
-												Merge branch 'ssrf' into 'security'

Protect server against SSRF in project import URLs

See merge request !2068
											
										
										
											2017-03-15 20:09:08 +00:00
+								    it 'allows imports from configured web host and port' do
 								      import_url = "http://#{Gitlab.config.gitlab.host}:#{Gitlab.config.gitlab.port}/t.git"
 								      expect(described_class.blocked_url?(import_url)).to be false
 								    end
-												Merge branch 'security-stored-xss-for-environments' into 'master'

[master] Stored XSS for Environments

Closes #2727

See merge request gitlab/gitlabhq!2594
											
										
										
											2018-11-28 18:37:12 +00:00
+								    it 'allows mirroring from configured SSH host and port' do
 								      import_url = "ssh://#{Gitlab.config.gitlab_shell.ssh_host}:#{Gitlab.config.gitlab_shell.ssh_port}/t.git"
-												Merge branch 'ssrf' into 'security'

Protect server against SSRF in project import URLs

See merge request !2068
											
										
										
											2017-03-15 20:09:08 +00:00
+								      expect(described_class.blocked_url?(import_url)).to be false
 								    end
 								    it 'returns true for bad localhost hostname' do
 								      expect(described_class.blocked_url?('https://localhost:65535/foo/foo.git')).to be true
 								    end
 								    it 'returns true for bad port' do
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								      expect(described_class.blocked_url?('https://gitlab.com:25/foo/foo.git', ports: ports)).to be true
 								    end
 								    it 'returns true for bad protocol' do
 								      expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git', protocols: ['https'])).to be false
 								      expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git')).to be false
 								      expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git', protocols: ['http'])).to be true
-												Merge branch 'ssrf' into 'security'

Protect server against SSRF in project import URLs

See merge request !2068
											
										
										
											2017-03-15 20:09:08 +00:00
+								    end
-												Merge branch 'security-stored-xss-for-environments' into 'master'

[master] Stored XSS for Environments

Closes #2727

See merge request gitlab/gitlabhq!2594
											
										
										
											2018-11-28 18:37:12 +00:00
+								    it 'returns true for bad protocol on configured web/SSH host and ports' do
 								      web_url = "javascript://#{Gitlab.config.gitlab.host}:#{Gitlab.config.gitlab.port}/t.git%0aalert(1)"
 								      expect(described_class.blocked_url?(web_url)).to be true
 								      ssh_url = "javascript://#{Gitlab.config.gitlab_shell.ssh_host}:#{Gitlab.config.gitlab_shell.ssh_port}/t.git%0aalert(1)"
 								      expect(described_class.blocked_url?(ssh_url)).to be true
 								    end
-												Block loopback addresses in UrlBlocker

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51128

											
										
										
											2018-09-06 04:41:59 +00:00
+								    it 'returns true for localhost IPs' do
 								      expect(described_class.blocked_url?('https://0.0.0.0/foo/foo.git')).to be true
 								      expect(described_class.blocked_url?('https://[::1]/foo/foo.git')).to be true
 								      expect(described_class.blocked_url?('https://127.0.0.1/foo/foo.git')).to be true
 								    end
 								    it 'returns true for loopback IP' do
 								      expect(described_class.blocked_url?('https://127.0.0.2/foo/foo.git')).to be true
 								    end
-												Merge branch 'ssrf-protections-round-2' into 'security-10-1'

Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions

See merge request gitlab/gitlabhq!2219

(cherry picked from commit 4a1e73783d5480aa514db7b53e10c075f95580b5)

1bffa0c3 Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
											
										
										
											2017-11-07 08:30:38 +00:00
+								    it 'returns true for alternative version of 127.0.0.1 (0177.1)' do
 								      expect(described_class.blocked_url?('https://0177.1:65535/foo/foo.git')).to be true
 								    end
 								    it 'returns true for alternative version of 127.0.0.1 (0x7f.1)' do
 								      expect(described_class.blocked_url?('https://0x7f.1:65535/foo/foo.git')).to be true
 								    end
 								    it 'returns true for alternative version of 127.0.0.1 (2130706433)' do
 								      expect(described_class.blocked_url?('https://2130706433:65535/foo/foo.git')).to be true
 								    end
 								    it 'returns true for alternative version of 127.0.0.1 (127.000.000.001)' do
 								      expect(described_class.blocked_url?('https://127.000.000.001:65535/foo/foo.git')).to be true
 								    end
-												Merge branch 'rs-alphanumeric-ssh-params' into 'security-9-4'

Ensure user and hostnames begin with an alnum character in UrlBlocker

See merge request !2138
											
										
										
											2017-08-08 17:36:24 +00:00
+								    it 'returns true for a non-alphanumeric hostname' do
 								      stub_resolv
 								      aggregate_failures do
 								        expect(described_class).to be_blocked_url('ssh://-oProxyCommand=whoami/a')
 								        # The leading character here is a Unicode "soft hyphen"
 								        expect(described_class).to be_blocked_url('ssh://oProxyCommand=whoami/a')
 								        # Unicode alphanumerics are allowed
 								        expect(described_class).not_to be_blocked_url('ssh://ğitlab.com/a')
 								      end
 								    end
-												Merge branch 'ssrf' into 'security'

Protect server against SSRF in project import URLs

See merge request !2068
											
										
										
											2017-03-15 20:09:08 +00:00
+								    it 'returns true for invalid URL' do
 								      expect(described_class.blocked_url?('http://:8080')).to be true
 								    end
 								    it 'returns false for legitimate URL' do
 								      expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git')).to be false
 								    end
-												Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'

Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337
											
										
										
											2018-03-13 22:38:25 +00:00
-												Rename allow_private_networks to allow_local_network

											
										
										
											2018-04-02 15:13:47 +00:00
+								    context 'when allow_local_network is' do
 								      let(:local_ips) { ['192.168.1.2', '10.0.0.2', '172.16.0.2'] }
-												Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'

Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337
											
										
										
											2018-03-13 22:38:25 +00:00
+								      let(:fake_domain) { 'www.fakedomain.fake' }
 								      context 'true (default)' do
 								        it 'does not block urls from private networks' do
-												Rename allow_private_networks to allow_local_network

											
										
										
											2018-04-02 15:13:47 +00:00
+								          local_ips.each do |ip|
-												Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'

Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337
											
										
										
											2018-03-13 22:38:25 +00:00
+								            stub_domain_resolv(fake_domain, ip)
 								            expect(described_class).not_to be_blocked_url("http://#{fake_domain}")
 								            unstub_domain_resolv
 								            expect(described_class).not_to be_blocked_url("http://#{ip}")
 								          end
 								        end
-												Block link-local addresses in URLBlocker

Closes https://gitlab.com/gitlab-com/migration/issues/766

											
										
										
											2018-08-11 10:38:21 +00:00
-												Block loopback addresses in UrlBlocker

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51128

											
										
										
											2018-09-06 04:41:59 +00:00
+								        it 'allows localhost endpoints' do
 								          expect(described_class).not_to be_blocked_url('http://0.0.0.0', allow_localhost: true)
 								          expect(described_class).not_to be_blocked_url('http://localhost', allow_localhost: true)
 								          expect(described_class).not_to be_blocked_url('http://127.0.0.1', allow_localhost: true)
 								        end
 								        it 'allows loopback endpoints' do
 								          expect(described_class).not_to be_blocked_url('http://127.0.0.2', allow_localhost: true)
 								        end
-												Block link-local addresses in URLBlocker

Closes https://gitlab.com/gitlab-com/migration/issues/766

											
										
										
											2018-08-11 10:38:21 +00:00
+								        it 'allows IPv4 link-local endpoints' do
 								          expect(described_class).not_to be_blocked_url('http://169.254.169.254')
 								          expect(described_class).not_to be_blocked_url('http://169.254.168.100')
 								        end
 								        # This is blocked due to the hostname check: https://gitlab.com/gitlab-org/gitlab-ce/issues/50227
 								        it 'blocks IPv6 link-local endpoints' do
 								          expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]')
 								          expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]')
 								        end
-												Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'

Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337
											
										
										
											2018-03-13 22:38:25 +00:00
+								      end
 								      context 'false' do
 								        it 'blocks urls from private networks' do
-												Rename allow_private_networks to allow_local_network

											
										
										
											2018-04-02 15:13:47 +00:00
+								          local_ips.each do |ip|
-												Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'

Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337
											
										
										
											2018-03-13 22:38:25 +00:00
+								            stub_domain_resolv(fake_domain, ip)
-												Rename allow_private_networks to allow_local_network

											
										
										
											2018-04-02 15:13:47 +00:00
+								            expect(described_class).to be_blocked_url("http://#{fake_domain}", allow_local_network: false)
-												Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'

Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337
											
										
										
											2018-03-13 22:38:25 +00:00
 								            unstub_domain_resolv
-												Rename allow_private_networks to allow_local_network

											
										
										
											2018-04-02 15:13:47 +00:00
+								            expect(described_class).to be_blocked_url("http://#{ip}", allow_local_network: false)
-												Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'

Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337
											
										
										
											2018-03-13 22:38:25 +00:00
+								          end
 								        end
-												Block link-local addresses in URLBlocker

Closes https://gitlab.com/gitlab-com/migration/issues/766

											
										
										
											2018-08-11 10:38:21 +00:00
 								        it 'blocks IPv4 link-local endpoints' do
 								          expect(described_class).to be_blocked_url('http://169.254.169.254', allow_local_network: false)
 								          expect(described_class).to be_blocked_url('http://169.254.168.100', allow_local_network: false)
 								        end
 								        it 'blocks IPv6 link-local endpoints' do
 								          expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]', allow_local_network: false)
 								          expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]', allow_local_network: false)
 								          expect(described_class).to be_blocked_url('http://[FE80::C800:EFF:FE74:8]', allow_local_network: false)
 								        end
-												Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'

Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337
											
										
										
											2018-03-13 22:38:25 +00:00
+								      end
 								      def stub_domain_resolv(domain, ip)
-												Block loopback addresses in UrlBlocker

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51128

											
										
										
											2018-09-06 04:41:59 +00:00
+								        allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true, ipv6_link_local?: false, ipv4_loopback?: false, ipv6_loopback?: false)])
-												Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'

Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337
											
										
										
											2018-03-13 22:38:25 +00:00
+								      end
 								      def unstub_domain_resolv
 								        allow(Addrinfo).to receive(:getaddrinfo).and_call_original
 								      end
 								    end
-												Avoid checking the user format in every url validation

											
										
										
											2018-06-11 13:29:37 +00:00
 								    context 'when enforce_user is' do
 								      before do
 								        stub_resolv
 								      end
 								      context 'false (default)' do
 								        it 'does not block urls with a non-alphanumeric username' do
 								          expect(described_class).not_to be_blocked_url('ssh://-oProxyCommand=whoami@example.com/a')
 								          # The leading character here is a Unicode "soft hyphen"
 								          expect(described_class).not_to be_blocked_url('ssh://oProxyCommand=whoami@example.com/a')
 								          # Unicode alphanumerics are allowed
 								          expect(described_class).not_to be_blocked_url('ssh://ğitlab@example.com/a')
 								        end
 								      end
 								      context 'true' do
 								        it 'blocks urls with a non-alphanumeric username' do
 								          aggregate_failures do
 								            expect(described_class).to be_blocked_url('ssh://-oProxyCommand=whoami@example.com/a', enforce_user: true)
 								            # The leading character here is a Unicode "soft hyphen"
 								            expect(described_class).to be_blocked_url('ssh://oProxyCommand=whoami@example.com/a', enforce_user: true)
 								            # Unicode alphanumerics are allowed
 								            expect(described_class).not_to be_blocked_url('ssh://ğitlab@example.com/a', enforce_user: true)
 								          end
 								        end
 								      end
 								    end
-												Merge branch 'ssrf' into 'security'

Protect server against SSRF in project import URLs

See merge request !2068
											
										
										
											2017-03-15 20:09:08 +00:00
+								  end
-												Merge branch 'rs-alphanumeric-ssh-params' into 'security-9-4'

Ensure user and hostnames begin with an alnum character in UrlBlocker

See merge request !2138
											
										
										
											2017-08-08 17:36:24 +00:00
 								  # Resolv does not support resolving UTF-8 domain names
 								  # See https://bugs.ruby-lang.org/issues/4270
 								  def stub_resolv
 								    allow(Resolv).to receive(:getaddresses).and_return([])
 								  end
-												Merge branch 'ssrf' into 'security'

Protect server against SSRF in project import URLs

See merge request !2068
											
										
										
											2017-03-15 20:09:08 +00:00
+								end