Merge branch 'fj-remove-dns-protection-when-validating' into 'master'

Avoid checking dns rebind protection in validation Closes #66723 See merge request gitlab-org/gitlab-ce!32577
2019-09-05 09:11:15 +00:00 · 2019-09-05 09:11:15 +00:00 · 4e9c531a84
commit 4e9c531a84
parent 8d93ec2e90 537eb0bb2d
3 changed files with 49 additions and 1 deletions
--- a/app/validators/addressable_url_validator.rb
+++ b/app/validators/addressable_url_validator.rb
@ -42,6 +42,11 @@
 class AddressableUrlValidator < ActiveModel::EachValidator
  attr_reader :record

+  # By default, we avoid checking the dns rebinding protection
+  # when saving/updating a record. Sometimes, the url
+  # is not resolvable at that point, and some automated
+  # tasks that uses that url won't work.
+  # See https://gitlab.com/gitlab-org/gitlab-ce/issues/66723
  BLOCKER_VALIDATE_OPTIONS = {
    schemes: %w(http https),
    ports: [],
@ -49,7 +54,8 @@ class AddressableUrlValidator < ActiveModel::EachValidator
    allow_local_network: true,
    ascii_only: false,
    enforce_user: false,
-    enforce_sanitization: false
+    enforce_sanitization: false,
+    dns_rebind_protection: false
  }.freeze

  DEFAULT_OPTIONS = BLOCKER_VALIDATE_OPTIONS.merge({
--- a/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml
+++ b/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml
@ -0,0 +1,5 @@
+---
+title: Avoid checking dns rebind protection when validating
+merge_request: 32577
+author:
+type: fixed
--- a/spec/validators/addressable_url_validator_spec.rb
+++ b/spec/validators/addressable_url_validator_spec.rb
@ -92,6 +92,15 @@ describe AddressableUrlValidator do
      expect(badge.errors).to be_empty
      expect(badge.link_url).to eq('https://127.0.0.1')
    end
+
+    it 'allows urls that cannot be resolved' do
+      stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
+      badge.link_url = 'http://foobar.x'
+
+      subject
+
+      expect(badge.errors).to be_empty
+    end
  end

  context 'when message is set' do
@ -312,4 +321,32 @@ describe AddressableUrlValidator do
      end
    end
  end
+
+  context 'when dns_rebind_protection is' do
+    let(:not_resolvable_url) { 'http://foobar.x' }
+    let(:validator) { described_class.new(attributes: [:link_url], dns_rebind_protection: dns_value) }
+
+    before do
+      stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
+      badge.link_url = not_resolvable_url
+
+      subject
+    end
+
+    context 'true' do
+      let(:dns_value) { true }
+
+      it 'raises error' do
+        expect(badge.errors).to be_present
+      end
+    end
+
+    context 'false' do
+      let(:dns_value) { false }
+
+      it 'allows urls that cannot be resolved' do
+        expect(badge.errors).to be_empty
+      end
+    end
+  end
 end