Reuben Pereira
f40b5860d7
Add table and model for error tracking settings
2019-01-07 17:55:21 +00:00
James Edwards-Jones
72c0059407
Allow URLs to be validated as ascii_only
...
Restricts unicode characters and IDNA deviations
which could be used in a phishing attack
2018-12-06 15:18:18 +00:00
Steve Azzopardi
a9f5b22394
Merge branch 'security-11-5-fix-webhook-ssrf-ipv6' into 'security-11-5'
...
[11.5] Fix SSRF in project integrations
See merge request gitlab/gitlabhq!2611
2018-11-28 19:14:36 -05:00
Cindy Pallares
c0e5d9afee
Merge branch 'security-fj-crlf-injection' into 'master'
...
[master] Fix CRLF issue in UrlValidator
See merge request gitlab/gitlabhq!2627
2018-11-28 19:14:06 -05:00
Cindy Pallares
4bc6f2e3ac
Merge branch 'security-stored-xss-for-environments' into 'master'
...
[master] Stored XSS for Environments
Closes #2727
See merge request gitlab/gitlabhq!2594
2018-11-28 19:07:29 -05:00
Thiago Presa
cc571e18d3
Merge branch 'sh-block-other-localhost' into 'master'
...
Block additional localhost addresses in UrlBlocker
See merge request gitlab/gitlabhq!2487
2018-10-25 01:05:44 +00:00
gfyoung
c858f70d07
Enable frozen string for lib/gitlab/*.rb
2018-10-22 07:00:50 +00:00
Stan Hu
b1d04cf9d5
Block loopback addresses in UrlBlocker
...
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51128
2018-09-05 22:04:23 -07:00
Stan Hu
b3f7558750
Block link-local addresses in URLBlocker
...
Closes https://gitlab.com/gitlab-com/migration/issues/766
2018-08-12 22:34:34 -07:00
Francisco Javier López
1418afc2d6
Avoid checking the user format in every url validation
2018-06-11 13:29:37 +00:00
Francisco Javier López
840f80d48b
Add validation to webhook and service URLs to ensure they are not blocked because of SSRF
2018-06-01 11:43:53 +00:00
Douwe Maan
b290d929bc
Rename allow_private_networks to allow_local_network
2018-04-02 17:24:19 +02:00
Douwe Maan
b95918dda8
Make error messages even more descriptive
2018-04-02 17:20:18 +02:00
Douwe Maan
2e3bc6a941
Raise more descriptive errors when URLs are blocked
2018-04-02 17:20:01 +02:00
Douwe Maan
95ced3bb5f
Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'
...
Server Side Request Forgery in Services and Web Hooks
See merge request gitlab/gitlabhq!2337
2018-03-21 14:39:21 +00:00
Douwe Maan
89bd78352e
Merge branch 'ssrf-protections-round-2' into 'security-10-1'
...
Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
See merge request gitlab/gitlabhq!2219
(cherry picked from commit 4a1e73783d5480aa514db7b53e10c075f95580b5)
1bffa0c3 Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
2017-11-08 20:11:08 -08:00
James Edwards-Jones
b296921681
Merge branch 'rs-alphanumeric-ssh-params' into 'security-9-4'
...
Ensure user and hostnames begin with an alnum character in UrlBlocker
See merge request !2138
2017-08-10 20:47:28 +01:00
Rubén Dávila
83a0c39808
Merge branch 'ssrf' into 'security'
...
nil check for url_blocker?
See merge request !2076
2017-03-20 18:53:45 -07:00
Douwe Maan
65aafb9917
Merge branch 'ssrf' into 'security'
...
Protect server against SSRF in project import URLs
See merge request !2068
2017-03-20 18:53:04 -07:00