Merge branch 'sh-fix-hipchat-ssrf' into 'master'
[master] Prevent SSRF attacks in HipChat integration See merge request gitlab/gitlabhq!2530
This commit is contained in:
commit
107351e07a
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Prevent SSRF attacks in HipChat integration
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -0,0 +1,14 @@
|
|||
# This monkey patches the HTTParty used in https://github.com/hipchat/hipchat-rb.
|
||||
module HipChat
|
||||
class Client
|
||||
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
|
||||
end
|
||||
|
||||
class Room
|
||||
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
|
||||
end
|
||||
|
||||
class User
|
||||
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
|
||||
end
|
||||
end
|
|
@ -387,4 +387,22 @@ describe HipchatService do
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'with UrlBlocker' do
|
||||
let(:user) { create(:user) }
|
||||
let(:project) { create(:project, :repository) }
|
||||
let(:hipchat) { described_class.new(project: project) }
|
||||
let(:push_sample_data) { Gitlab::DataBuilder::Push.build_sample(project, user) }
|
||||
|
||||
describe '#execute' do
|
||||
before do
|
||||
hipchat.server = 'http://localhost:9123'
|
||||
end
|
||||
|
||||
it 'raises UrlBlocker for localhost' do
|
||||
expect(Gitlab::UrlBlocker).to receive(:validate!).and_call_original
|
||||
expect { hipchat.execute(push_sample_data) }.to raise_error(Gitlab::HTTP::BlockedUrlError)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue