Reuben Pereira
28c76fb551
Don't use bang method when there is no safe method
...
https://github.com/rubocop-hq/ruby-style-guide#dangerous-method-bang
2019-07-12 07:04:44 +00:00
Oswaldo Ferreira
a1a0f8e6b0
Add DNS rebinding protection settings
2019-05-30 10:47:57 -03:00
Douwe Maan
a9bcddee4c
Protect Gitlab::HTTP against DNS rebinding attack
...
Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
blocked, and then uses the same IP to perform the actual request, while
passing the original hostname in the `Host` header and SSL SNI field.
2019-05-30 10:47:31 -03:00
Thong Kuah
d119d3d1b2
Align UrlValidator to validate_url gem implementation.
...
Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.
2019-04-11 06:29:07 +00:00
James Edwards-Jones
72c0059407
Allow URLs to be validated as ascii_only
...
Restricts unicode characters and IDNA deviations
which could be used in a phishing attack
2018-12-06 15:18:18 +00:00
Steve Azzopardi
a9f5b22394
Merge branch 'security-11-5-fix-webhook-ssrf-ipv6' into 'security-11-5'
...
[11.5] Fix SSRF in project integrations
See merge request gitlab/gitlabhq!2611
2018-11-28 19:14:36 -05:00
Cindy Pallares
4bc6f2e3ac
Merge branch 'security-stored-xss-for-environments' into 'master'
...
[master] Stored XSS for Environments
Closes #2727
See merge request gitlab/gitlabhq!2594
2018-11-28 19:07:29 -05:00
Stan Hu
b1d04cf9d5
Block loopback addresses in UrlBlocker
...
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51128
2018-09-05 22:04:23 -07:00
Stan Hu
b3f7558750
Block link-local addresses in URLBlocker
...
Closes https://gitlab.com/gitlab-com/migration/issues/766
2018-08-12 22:34:34 -07:00
Francisco Javier López
1418afc2d6
Avoid checking the user format in every url validation
2018-06-11 13:29:37 +00:00
Francisco Javier López
840f80d48b
Add validation to webhook and service URLs to ensure they are not blocked because of SSRF
2018-06-01 11:43:53 +00:00
Douwe Maan
b290d929bc
Rename allow_private_networks to allow_local_network
2018-04-02 17:24:19 +02:00
Douwe Maan
95ced3bb5f
Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'
...
Server Side Request Forgery in Services and Web Hooks
See merge request gitlab/gitlabhq!2337
2018-03-21 14:39:21 +00:00
Douwe Maan
89bd78352e
Merge branch 'ssrf-protections-round-2' into 'security-10-1'
...
Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
See merge request gitlab/gitlabhq!2219
(cherry picked from commit 4a1e73783d5480aa514db7b53e10c075f95580b5)
1bffa0c3 Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
2017-11-08 20:11:08 -08:00
James Edwards-Jones
b296921681
Merge branch 'rs-alphanumeric-ssh-params' into 'security-9-4'
...
Ensure user and hostnames begin with an alnum character in UrlBlocker
See merge request !2138
2017-08-10 20:47:28 +01:00
Rémy Coutable
ddccd24c13
Remove superfluous lib: true, type: redis, service: true, models: true, services: true, no_db: true, api: true
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-07-27 14:31:53 +02:00
Douwe Maan
65aafb9917
Merge branch 'ssrf' into 'security'
...
Protect server against SSRF in project import URLs
See merge request !2068
2017-03-20 18:53:04 -07:00