# coding: utf-8 require 'spec_helper' describe Gitlab::UrlBlocker do describe '#blocked_url?' do let(:ports) { Project::VALID_IMPORT_PORTS } it 'allows imports from configured web host and port' do import_url = "http://#{Gitlab.config.gitlab.host}:#{Gitlab.config.gitlab.port}/t.git" expect(described_class.blocked_url?(import_url)).to be false end it 'allows imports from configured SSH host and port' do import_url = "http://#{Gitlab.config.gitlab_shell.ssh_host}:#{Gitlab.config.gitlab_shell.ssh_port}/t.git" expect(described_class.blocked_url?(import_url)).to be false end it 'returns true for bad localhost hostname' do expect(described_class.blocked_url?('https://localhost:65535/foo/foo.git')).to be true end it 'returns true for bad port' do expect(described_class.blocked_url?('https://gitlab.com:25/foo/foo.git', ports: ports)).to be true end it 'returns true for bad protocol' do expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git', protocols: ['https'])).to be false expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git')).to be false expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git', protocols: ['http'])).to be true end it 'returns true for alternative version of 127.0.0.1 (0177.1)' do expect(described_class.blocked_url?('https://0177.1:65535/foo/foo.git')).to be true end it 'returns true for alternative version of 127.0.0.1 (0x7f.1)' do expect(described_class.blocked_url?('https://0x7f.1:65535/foo/foo.git')).to be true end it 'returns true for alternative version of 127.0.0.1 (2130706433)' do expect(described_class.blocked_url?('https://2130706433:65535/foo/foo.git')).to be true end it 'returns true for alternative version of 127.0.0.1 (127.000.000.001)' do expect(described_class.blocked_url?('https://127.000.000.001:65535/foo/foo.git')).to be true end it 'returns true for a non-alphanumeric hostname' do stub_resolv aggregate_failures do expect(described_class).to be_blocked_url('ssh://-oProxyCommand=whoami/a') # The leading character here is a Unicode "soft hyphen" expect(described_class).to be_blocked_url('ssh://­oProxyCommand=whoami/a') # Unicode alphanumerics are allowed expect(described_class).not_to be_blocked_url('ssh://ğitlab.com/a') end end it 'returns true for invalid URL' do expect(described_class.blocked_url?('http://:8080')).to be true end it 'returns false for legitimate URL' do expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git')).to be false end context 'when allow_local_network is' do let(:local_ips) { ['192.168.1.2', '10.0.0.2', '172.16.0.2'] } let(:fake_domain) { 'www.fakedomain.fake' } context 'true (default)' do it 'does not block urls from private networks' do local_ips.each do |ip| stub_domain_resolv(fake_domain, ip) expect(described_class).not_to be_blocked_url("http://#{fake_domain}") unstub_domain_resolv expect(described_class).not_to be_blocked_url("http://#{ip}") end end it 'allows IPv4 link-local endpoints' do expect(described_class).not_to be_blocked_url('http://169.254.169.254') expect(described_class).not_to be_blocked_url('http://169.254.168.100') end # This is blocked due to the hostname check: https://gitlab.com/gitlab-org/gitlab-ce/issues/50227 it 'blocks IPv6 link-local endpoints' do expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]') expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]') end end context 'false' do it 'blocks urls from private networks' do local_ips.each do |ip| stub_domain_resolv(fake_domain, ip) expect(described_class).to be_blocked_url("http://#{fake_domain}", allow_local_network: false) unstub_domain_resolv expect(described_class).to be_blocked_url("http://#{ip}", allow_local_network: false) end end it 'blocks IPv4 link-local endpoints' do expect(described_class).to be_blocked_url('http://169.254.169.254', allow_local_network: false) expect(described_class).to be_blocked_url('http://169.254.168.100', allow_local_network: false) end it 'blocks IPv6 link-local endpoints' do expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]', allow_local_network: false) expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]', allow_local_network: false) expect(described_class).to be_blocked_url('http://[FE80::C800:EFF:FE74:8]', allow_local_network: false) end end def stub_domain_resolv(domain, ip) allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true, ipv6_link_local?: false)]) end def unstub_domain_resolv allow(Addrinfo).to receive(:getaddrinfo).and_call_original end end context 'when enforce_user is' do before do stub_resolv end context 'false (default)' do it 'does not block urls with a non-alphanumeric username' do expect(described_class).not_to be_blocked_url('ssh://-oProxyCommand=whoami@example.com/a') # The leading character here is a Unicode "soft hyphen" expect(described_class).not_to be_blocked_url('ssh://­oProxyCommand=whoami@example.com/a') # Unicode alphanumerics are allowed expect(described_class).not_to be_blocked_url('ssh://ğitlab@example.com/a') end end context 'true' do it 'blocks urls with a non-alphanumeric username' do aggregate_failures do expect(described_class).to be_blocked_url('ssh://-oProxyCommand=whoami@example.com/a', enforce_user: true) # The leading character here is a Unicode "soft hyphen" expect(described_class).to be_blocked_url('ssh://­oProxyCommand=whoami@example.com/a', enforce_user: true) # Unicode alphanumerics are allowed expect(described_class).not_to be_blocked_url('ssh://ğitlab@example.com/a', enforce_user: true) end end end end end # Resolv does not support resolving UTF-8 domain names # See https://bugs.ruby-lang.org/issues/4270 def stub_resolv allow(Resolv).to receive(:getaddresses).and_return([]) end end