Block link-local addresses in URLBlocker

Closes https://gitlab.com/gitlab-com/migration/issues/766
2018-08-11 03:38:21 -07:00 · 2018-08-11 03:38:21 -07:00 · b3f7558750
commit b3f7558750
parent 197a305b84
3 changed files with 37 additions and 1 deletions
--- a/changelogs/unreleased/sh-block-link-local-master.yml
+++ b/changelogs/unreleased/sh-block-link-local-master.yml
@ -0,0 +1,5 @@
+---
+title: Block link-local addresses in URLBlocker
+merge_request:
+author:
+type: security
--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@ -31,6 +31,7 @@ module Gitlab

        validate_localhost!(addrs_info) unless allow_localhost
        validate_local_network!(addrs_info) unless allow_local_network
+        validate_link_local!(addrs_info) unless allow_local_network

        true
      end
@ -89,6 +90,13 @@ module Gitlab
        raise BlockedUrlError, "Requests to the local network are not allowed"
      end

+      def validate_link_local!(addrs_info)
+        netmask = IPAddr.new('169.254.0.0/16')
+        return unless addrs_info.any? { |addr| addr.ipv6_linklocal? || netmask.include?(addr.ip_address) }
+
+        raise BlockedUrlError, "Requests to the link local network are not allowed"
+      end
+
      def internal?(uri)
        internal_web?(uri) || internal_shell?(uri)
      end
--- a/spec/lib/gitlab/url_blocker_spec.rb
+++ b/spec/lib/gitlab/url_blocker_spec.rb
@ -1,3 +1,4 @@
+# coding: utf-8
 require 'spec_helper'

 describe Gitlab::UrlBlocker do
@ -82,6 +83,17 @@ describe Gitlab::UrlBlocker do
            expect(described_class).not_to be_blocked_url("http://#{ip}")
          end
        end
+
+        it 'allows IPv4 link-local endpoints' do
+          expect(described_class).not_to be_blocked_url('http://169.254.169.254')
+          expect(described_class).not_to be_blocked_url('http://169.254.168.100')
+        end
+
+        # This is blocked due to the hostname check: https://gitlab.com/gitlab-org/gitlab-ce/issues/50227
+        it 'blocks IPv6 link-local endpoints' do
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]')
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]')
+        end
      end

      context 'false' do
@ -96,10 +108,21 @@ describe Gitlab::UrlBlocker do
            expect(described_class).to be_blocked_url("http://#{ip}", allow_local_network: false)
          end
        end
+
+        it 'blocks IPv4 link-local endpoints' do
+          expect(described_class).to be_blocked_url('http://169.254.169.254', allow_local_network: false)
+          expect(described_class).to be_blocked_url('http://169.254.168.100', allow_local_network: false)
+        end
+
+        it 'blocks IPv6 link-local endpoints' do
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]', allow_local_network: false)
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]', allow_local_network: false)
+          expect(described_class).to be_blocked_url('http://[FE80::C800:EFF:FE74:8]', allow_local_network: false)
+        end
      end

      def stub_domain_resolv(domain, ip)
-        allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true)])
+        allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true, ipv6_link_local?: false)])
      end

      def unstub_domain_resolv