Commit graph

19 commits

Author SHA1 Message Date
Reuben Pereira
f40b5860d7 Add table and model for error tracking settings 2019-01-07 17:55:21 +00:00
James Edwards-Jones
72c0059407 Allow URLs to be validated as ascii_only
Restricts unicode characters and IDNA deviations
which could be used in a phishing attack
2018-12-06 15:18:18 +00:00
Steve Azzopardi
a9f5b22394
Merge branch 'security-11-5-fix-webhook-ssrf-ipv6' into 'security-11-5'
[11.5] Fix SSRF in project integrations

See merge request gitlab/gitlabhq!2611
2018-11-28 19:14:36 -05:00
Cindy Pallares
c0e5d9afee
Merge branch 'security-fj-crlf-injection' into 'master'
[master] Fix CRLF issue in UrlValidator

See merge request gitlab/gitlabhq!2627
2018-11-28 19:14:06 -05:00
Cindy Pallares
4bc6f2e3ac
Merge branch 'security-stored-xss-for-environments' into 'master'
[master] Stored XSS for Environments

Closes #2727

See merge request gitlab/gitlabhq!2594
2018-11-28 19:07:29 -05:00
Thiago Presa
cc571e18d3 Merge branch 'sh-block-other-localhost' into 'master'
Block additional localhost addresses in UrlBlocker

See merge request gitlab/gitlabhq!2487
2018-10-25 01:05:44 +00:00
gfyoung
c858f70d07 Enable frozen string for lib/gitlab/*.rb 2018-10-22 07:00:50 +00:00
Stan Hu
b1d04cf9d5 Block loopback addresses in UrlBlocker
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51128
2018-09-05 22:04:23 -07:00
Stan Hu
b3f7558750 Block link-local addresses in URLBlocker
Closes https://gitlab.com/gitlab-com/migration/issues/766
2018-08-12 22:34:34 -07:00
Francisco Javier López
1418afc2d6 Avoid checking the user format in every url validation 2018-06-11 13:29:37 +00:00
Francisco Javier López
840f80d48b Add validation to webhook and service URLs to ensure they are not blocked because of SSRF 2018-06-01 11:43:53 +00:00
Douwe Maan
b290d929bc
Rename allow_private_networks to allow_local_network 2018-04-02 17:24:19 +02:00
Douwe Maan
b95918dda8
Make error messages even more descriptive 2018-04-02 17:20:18 +02:00
Douwe Maan
2e3bc6a941
Raise more descriptive errors when URLs are blocked 2018-04-02 17:20:01 +02:00
Douwe Maan
95ced3bb5f Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'
Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337
2018-03-21 14:39:21 +00:00
Douwe Maan
89bd78352e Merge branch 'ssrf-protections-round-2' into 'security-10-1'
Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions

See merge request gitlab/gitlabhq!2219

(cherry picked from commit 4a1e73783d5480aa514db7b53e10c075f95580b5)

1bffa0c3 Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
2017-11-08 20:11:08 -08:00
James Edwards-Jones
b296921681 Merge branch 'rs-alphanumeric-ssh-params' into 'security-9-4'
Ensure user and hostnames begin with an alnum character in UrlBlocker

See merge request !2138
2017-08-10 20:47:28 +01:00
Rubén Dávila
83a0c39808 Merge branch 'ssrf' into 'security'
nil check for url_blocker?

See merge request !2076
2017-03-20 18:53:45 -07:00
Douwe Maan
65aafb9917 Merge branch 'ssrf' into 'security'
Protect server against SSRF in project import URLs

See merge request !2068
2017-03-20 18:53:04 -07:00