kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
98,229 Commits 1 Branch 0 Tags 899 MiB
Commit Graph

17 Commits

Author SHA1 Message Date
Reuben Pereira 28c76fb551 Don't use bang method when there is no safe method 
https://github.com/rubocop-hq/ruby-style-guide#dangerous-method-bang
 2019-07-12 07:04:44 +00:00
Oswaldo Ferreira a1a0f8e6b0 Add DNS rebinding protection settings 2019-05-30 10:47:57 -03:00
Douwe Maan a9bcddee4c Protect Gitlab::HTTP against DNS rebinding attack 
Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
blocked, and then uses the same IP to perform the actual request, while
passing the original hostname in the `Host` header and SSL SNI field.
 2019-05-30 10:47:31 -03:00
Thong Kuah d119d3d1b2 Align UrlValidator to validate_url gem implementation. 
Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.
 2019-04-11 06:29:07 +00:00
James Edwards-Jones 72c0059407 Allow URLs to be validated as ascii_only 
Restricts unicode characters and IDNA deviations
which could be used in a phishing attack
 2018-12-06 15:18:18 +00:00
Steve Azzopardi a9f5b22394
Merge branch 'security-11-5-fix-webhook-ssrf-ipv6' into 'security-11-5' 
[11.5] Fix SSRF in project integrations

See merge request gitlab/gitlabhq!2611
 2018-11-28 19:14:36 -05:00
Cindy Pallares 4bc6f2e3ac
Merge branch 'security-stored-xss-for-environments' into 'master' 
[master] Stored XSS for Environments

Closes #2727

See merge request gitlab/gitlabhq!2594
 2018-11-28 19:07:29 -05:00
Stan Hu b1d04cf9d5 Block loopback addresses in UrlBlocker 
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51128
 2018-09-05 22:04:23 -07:00
Stan Hu b3f7558750 Block link-local addresses in URLBlocker 
Closes https://gitlab.com/gitlab-com/migration/issues/766
 2018-08-12 22:34:34 -07:00
Francisco Javier López 1418afc2d6 Avoid checking the user format in every url validation 2018-06-11 13:29:37 +00:00
Francisco Javier López 840f80d48b Add validation to webhook and service URLs to ensure they are not blocked because of SSRF 2018-06-01 11:43:53 +00:00
Douwe Maan b290d929bc
Rename allow_private_networks to allow_local_network 2018-04-02 17:24:19 +02:00
Douwe Maan 95ced3bb5f Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6' 
Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337
 2018-03-21 14:39:21 +00:00
Douwe Maan 89bd78352e Merge branch 'ssrf-protections-round-2' into 'security-10-1' 
Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions

See merge request gitlab/gitlabhq!2219

(cherry picked from commit 4a1e73783d5480aa514db7b53e10c075f95580b5)

1bffa0c3 Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
 2017-11-08 20:11:08 -08:00
James Edwards-Jones b296921681 Merge branch 'rs-alphanumeric-ssh-params' into 'security-9-4' 
Ensure user and hostnames begin with an alnum character in UrlBlocker

See merge request !2138
 2017-08-10 20:47:28 +01:00
Rémy Coutable ddccd24c13 Remove superfluous lib: true, type: redis, service: true, models: true, services: true, no_db: true, api: true 
Signed-off-by: Rémy Coutable <remy@rymai.me>
 2017-07-27 14:31:53 +02:00
Douwe Maan 65aafb9917 Merge branch 'ssrf' into 'security' 
Protect server against SSRF in project import URLs

See merge request !2068
 2017-03-20 18:53:04 -07:00