kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Merge branch 'ssrf-protections-round-2' into 'security-10-1'

Browse source 
Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions

See merge request gitlab/gitlabhq!2219

(cherry picked from commit 4a1e73783d5480aa514db7b53e10c075f95580b5)

1bffa0c3 Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
This commit is contained in:
Douwe Maan 2017-11-07 08:30:38 +00:00 committed by Michael Kozono
parent 0c3877a488
commit 89bd78352e
2 changed files with 19 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/gitlab/url_blocker.rb
View file

@ -22,10 +22,12 @@ module Gitlab
return true if blocked_user_or_hostname?(uri.user)
return true if blocked_user_or_hostname?(uri.hostname)
server_ips = Resolv.getaddresses(uri.hostname)
server_ips = Addrinfo.getaddrinfo(uri.hostname, 80, nil, :STREAM).map(&:ip_address)
return true if (blocked_ips & server_ips).any?
rescue Addressable::URI::InvalidURIError
return true
rescue SocketError
return false
end
false

16
spec/lib/gitlab/url_blocker_spec.rb
View file

@ -20,6 +20,22 @@ describe Gitlab::UrlBlocker do
expect(described_class.blocked_url?('https://gitlab.com:25/foo/foo.git')).to be true
end
it 'returns true for alternative version of 127.0.0.1 (0177.1)' do
expect(described_class.blocked_url?('https://0177.1:65535/foo/foo.git')).to be true
end
it 'returns true for alternative version of 127.0.0.1 (0x7f.1)' do
expect(described_class.blocked_url?('https://0x7f.1:65535/foo/foo.git')).to be true
end
it 'returns true for alternative version of 127.0.0.1 (2130706433)' do
expect(described_class.blocked_url?('https://2130706433:65535/foo/foo.git')).to be true
end
it 'returns true for alternative version of 127.0.0.1 (127.000.000.001)' do
expect(described_class.blocked_url?('https://127.000.000.001:65535/foo/foo.git')).to be true
end
it 'returns true for a non-alphanumeric hostname' do
stub_resolv