[ADD] outbound requests whitelist

Signed-off-by: Istvan szalai <istvan.szalai@savoirfairelinux.com>

9 files changed, 78 insertions, 1 deletions

diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 8e558487c1c..9347d82e9e5 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -19,6 +19,7 @@ class ApplicationSetting < ApplicationRecord
   serialize :restricted_visibility_levels # rubocop:disable Cop/ActiveRecordSerialize
   serialize :import_sources # rubocop:disable Cop/ActiveRecordSerialize
   serialize :disabled_oauth_sign_in_sources, Array # rubocop:disable Cop/ActiveRecordSerialize
+  serialize :outbound_requests_whitelist, Array # rubocop:disable Cop/ActiveRecordSerialize
   serialize :domain_whitelist, Array # rubocop:disable Cop/ActiveRecordSerialize
   serialize :domain_blacklist, Array # rubocop:disable Cop/ActiveRecordSerialize
   serialize :repository_storages # rubocop:disable Cop/ActiveRecordSerialize
@@ -117,6 +118,10 @@ class ApplicationSetting < ApplicationRecord
   validates :enabled_git_access_protocol,
             inclusion: { in: %w(ssh http), allow_blank: true, allow_nil: true }
 
+  validates :outbound_requests_whitelist,
+            presence: { message: 'Outbound requests whitelist cannot be activated if local requests from hooks and services is enabled.' },
+            if: :allow_local_requests_from_hooks_and_services?
+
   validates :domain_blacklist,
             presence: { message: 'Domain blacklist cannot be empty if Blacklist is enabled.' },
             if: :domain_blacklist_enabled?
diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb
index df4caed175d..d80777fba0f 100644
--- a/app/models/application_setting_implementation.rb
+++ b/app/models/application_setting_implementation.rb
@@ -96,7 +96,8 @@ module ApplicationSettingImplementation
         diff_max_patch_bytes: Gitlab::Git::Diff::DEFAULT_MAX_PATCH_BYTES,
         commit_email_hostname: default_commit_email_hostname,
         protected_ci_variables: false,
-        local_markdown_version: 0
+        local_markdown_version: 0,
+        outbound_requests_whitelist: Settings.gitlab['outbound_requests_whitelist']
       }
     end
 
@@ -130,6 +131,17 @@ module ApplicationSettingImplementation
     super(sources)
   end
 
+  def outbound_requests_whitelist_raw
+    self.outbound_requests_whitelist&.join("\n")
+  end
+
+  def outbound_requests_whitelist_raw=(values)
+    self.outbound_requests_whitelist = []
+    self.outbound_requests_whitelist = values.split(DOMAIN_LIST_SEPARATOR)
+    self.outbound_requests_whitelist.reject! { |d| d.empty? }
+    self.outbound_requests_whitelist
+  end
+
   def domain_whitelist_raw
     self.domain_whitelist&.join("\n")
   end
@@ -156,6 +168,17 @@ module ApplicationSettingImplementation
     self.domain_blacklist_raw = file.read
   end
 
+  def outbound_requests_whitelist_raw
+    self.outbound_requests_whitelist = string_to_array(values)
+  end
+
+  def outbound_requests_whitelist_raw=(values)
+    self.outbound_requests_whitelist = []
+    self.outbound_requests_whitelist = values.split(DOMAIN_LIST_SEPARATOR)
+    self.outbound_requests_whitelist.reject! { |d| d.empty? }
+    self.outbound_requests_whitelist
+  end
+
   def repository_storages
     Array(read_attribute(:repository_storages))
   end
diff --git a/app/views/admin/application_settings/_outbound.html.haml b/app/views/admin/application_settings/_outbound.html.haml
index d16304ed338..c302b042a95 100644
--- a/app/views/admin/application_settings/_outbound.html.haml
+++ b/app/views/admin/application_settings/_outbound.html.haml
@@ -8,6 +8,10 @@
         = f.label :allow_local_requests_from_hooks_and_services, class: 'form-check-label' do
           Allow requests to the local network from hooks and services
 
+      = f.label :web_hook_uri_whitelist, class: 'label-bold' do
+        URI of trusted services for web hook integrations
+      = f.text_field :web_hook_uri_whitelist, placeholder: "example.com,192.168.1.1", class: 'form-control'
+
     .form-group
       .form-check
         = f.check_box :dns_rebinding_protection_enabled, class: 'form-check-input'
diff --git a/changelogs/unreleased/add-outbound-requests-whitelist-for-local-networks.yml b/changelogs/unreleased/add-outbound-requests-whitelist-for-local-networks.yml
new file mode 100644
index 00000000000..41305aa160e
--- /dev/null
+++ b/changelogs/unreleased/add-outbound-requests-whitelist-for-local-networks.yml
@@ -0,0 +1,6 @@
+---
+title: Add Outbound requests whitelist for local networks
+merge_request: 21377
+author: Istvan Szalai
+type: added
+
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 494c4dd1f93..64a004ac620 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -197,6 +197,7 @@ Settings.gitlab.default_projects_features['snippets']           = true if Settin
 Settings.gitlab.default_projects_features['builds']             = true if Settings.gitlab.default_projects_features['builds'].nil?
 Settings.gitlab.default_projects_features['container_registry'] = true if Settings.gitlab.default_projects_features['container_registry'].nil?
 Settings.gitlab.default_projects_features['visibility_level']   = Settings.__send__(:verify_constant, Gitlab::VisibilityLevel, Settings.gitlab.default_projects_features['visibility_level'], Gitlab::VisibilityLevel::PRIVATE)
+Settings.gitlab['outbound_requests_whitelist'] ||= []
 Settings.gitlab['domain_whitelist'] ||= []
 Settings.gitlab['import_sources'] ||= Gitlab::ImportSources.values
 Settings.gitlab['trusted_proxies'] ||= []
diff --git a/db/migrate/20180824202952_add_outbound_requests_whitelist_to_application_settings.rb b/db/migrate/20180824202952_add_outbound_requests_whitelist_to_application_settings.rb
new file mode 100644
index 00000000000..f43a9c19048
--- /dev/null
+++ b/db/migrate/20180824202952_add_outbound_requests_whitelist_to_application_settings.rb
@@ -0,0 +1,9 @@
+class AddOutboundRequestsWhitelistToApplicationSettings < ActiveRecord::Migration
+
+  # Set this constant to true if this migration requires downtime.
+  DOWNTIME = false
+
+  def change
+    add_column :application_settings, :outbound_requests_whitelist, :text
+  end
+end
diff --git a/doc/api/settings.md b/doc/api/settings.md
index ff48cac1f47..695eff1dad0 100644
--- a/doc/api/settings.md
+++ b/doc/api/settings.md
@@ -39,6 +39,7 @@ Example response:
    "session_expire_delay" : 10080,
    "home_page_url" : null,
    "default_snippet_visibility" : "private",
+   "outbound_requests_whitelist": [],
    "domain_whitelist" : [],
    "domain_blacklist_enabled" : false,
    "domain_blacklist" : [],
@@ -113,6 +114,7 @@ Example response:
   "default_project_visibility": "internal",
   "default_snippet_visibility": "private",
   "default_group_visibility": "private",
+  "outbound_requests_whitelist": [],
   "domain_whitelist": [],
   "domain_blacklist_enabled" : false,
   "domain_blacklist" : [],
@@ -193,6 +195,7 @@ are listed in the descriptions of the relevant settings.
 | `domain_blacklist`                       | array of strings | required by: `domain_blacklist_enabled` | Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: `domain.com`, `*.domain.com`. |
 | `domain_blacklist_enabled`               | boolean          | no                                   | (**If enabled, requires:** `domain_blacklist`) Allows blocking sign-ups from emails from specific domains. |
 | `domain_whitelist`                       | array of strings | no                                   | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. |
+| `outbound_requests_whitelist`            | array of strings | no                                   | Define a list of trusted domains or ip addresses for outbound requests.
 | `dsa_key_restriction`                    | integer          | no                                   | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. |
 | `ecdsa_key_restriction`                  | integer          | no                                   | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. |
 | `ed25519_key_restriction`                | integer          | no                                   | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `0` (no restriction). `-1` disables ED25519 keys. |
diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb
index f6b2e2acf16..8732e5dec09 100644
--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -231,6 +231,10 @@ module Gitlab
           (uri.port.blank? || uri.port == config.gitlab_shell.ssh_port)
       end
 
+      def whitelisted?(uri)
+        config.gitlab.outbound_requests_whitelist.include?(uri)
+      end
+
       def config
         Gitlab.config
       end
diff --git a/spec/support/shared_examples/application_setting_examples.rb b/spec/support/shared_examples/application_setting_examples.rb
index e7ec24c5b7e..1fcc304e941 100644
--- a/spec/support/shared_examples/application_setting_examples.rb
+++ b/spec/support/shared_examples/application_setting_examples.rb
@@ -23,6 +23,28 @@ RSpec.shared_examples 'application settings examples' do
     end
   end
 
+  context 'restricted outbound requests domain' do
+    it 'sets outbound requests domain' do
+      setting.outbound_requests_whitelist_raw = 'example.com'
+      expect(setting.outbound_requests_whitelist).to eq(['example.com'])
+    end
+
+    it 'sets multiple outbound requests domain with spaces' do
+      setting.outbound_requests_whitelist_raw = 'example.com *.example.com'
+      expect(setting.outbound_requests_whitelist).to eq(['example.com', '*.example.com'])
+    end
+
+    it 'sets multiple outbound requests domains with newlines and a space' do
+      setting.outbound_requests_whitelist_raw = "example.com\n *.example.com"
+      expect(setting.outbound_requests_whitelist).to eq(['example.com', '*.example.com'])
+    end
+
+    it 'sets multiple outbound requests domains with commas' do
+      setting.outbound_requests_whitelist_raw = "example.com, *.example.com"
+      expect(setting.outbound_requests_whitelist).to eq(['example.com', '*.example.com'])
+    end
+  end
+
   context 'blacklisted signup domains' do
     it 'sets single domain' do
       setting.domain_blacklist_raw = 'example.com'