diff options
author | Istvan szalai <istvan.szalai@savoirfairelinux.com> | 2018-08-24 17:20:04 -0400 |
---|---|---|
committer | rpereira2 <rpereira@gitlab.com> | 2019-07-24 12:42:17 +0530 |
commit | cfcde04d9eb43eea2bbf7cef09cd3caff2df7c05 (patch) | |
tree | fe68a24b6e4107eb5c13f95ffba2859e2c022ee5 | |
parent | 2524cb1016cc54b82bcbf01e4df5fad46b980912 (diff) | |
download | gitlab-ce-cfcde04d9eb43eea2bbf7cef09cd3caff2df7c05.tar.gz |
[ADD] outbound requests whitelist
Signed-off-by: Istvan szalai <istvan.szalai@savoirfairelinux.com>
-rw-r--r-- | app/models/application_setting.rb | 5 | ||||
-rw-r--r-- | app/models/application_setting_implementation.rb | 25 | ||||
-rw-r--r-- | app/views/admin/application_settings/_outbound.html.haml | 4 | ||||
-rw-r--r-- | changelogs/unreleased/add-outbound-requests-whitelist-for-local-networks.yml | 6 | ||||
-rw-r--r-- | config/initializers/1_settings.rb | 1 | ||||
-rw-r--r-- | db/migrate/20180824202952_add_outbound_requests_whitelist_to_application_settings.rb | 9 | ||||
-rw-r--r-- | doc/api/settings.md | 3 | ||||
-rw-r--r-- | lib/gitlab/url_blocker.rb | 4 | ||||
-rw-r--r-- | spec/support/shared_examples/application_setting_examples.rb | 22 |
9 files changed, 78 insertions, 1 deletions
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index 8e558487c1c..9347d82e9e5 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -19,6 +19,7 @@ class ApplicationSetting < ApplicationRecord serialize :restricted_visibility_levels # rubocop:disable Cop/ActiveRecordSerialize serialize :import_sources # rubocop:disable Cop/ActiveRecordSerialize serialize :disabled_oauth_sign_in_sources, Array # rubocop:disable Cop/ActiveRecordSerialize + serialize :outbound_requests_whitelist, Array # rubocop:disable Cop/ActiveRecordSerialize serialize :domain_whitelist, Array # rubocop:disable Cop/ActiveRecordSerialize serialize :domain_blacklist, Array # rubocop:disable Cop/ActiveRecordSerialize serialize :repository_storages # rubocop:disable Cop/ActiveRecordSerialize @@ -117,6 +118,10 @@ class ApplicationSetting < ApplicationRecord validates :enabled_git_access_protocol, inclusion: { in: %w(ssh http), allow_blank: true, allow_nil: true } + validates :outbound_requests_whitelist, + presence: { message: 'Outbound requests whitelist cannot be activated if local requests from hooks and services is enabled.' }, + if: :allow_local_requests_from_hooks_and_services? + validates :domain_blacklist, presence: { message: 'Domain blacklist cannot be empty if Blacklist is enabled.' }, if: :domain_blacklist_enabled? diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb index df4caed175d..d80777fba0f 100644 --- a/app/models/application_setting_implementation.rb +++ b/app/models/application_setting_implementation.rb @@ -96,7 +96,8 @@ module ApplicationSettingImplementation diff_max_patch_bytes: Gitlab::Git::Diff::DEFAULT_MAX_PATCH_BYTES, commit_email_hostname: default_commit_email_hostname, protected_ci_variables: false, - local_markdown_version: 0 + local_markdown_version: 0, + outbound_requests_whitelist: Settings.gitlab['outbound_requests_whitelist'] } end @@ -130,6 +131,17 @@ module ApplicationSettingImplementation super(sources) end + def outbound_requests_whitelist_raw + self.outbound_requests_whitelist&.join("\n") + end + + def outbound_requests_whitelist_raw=(values) + self.outbound_requests_whitelist = [] + self.outbound_requests_whitelist = values.split(DOMAIN_LIST_SEPARATOR) + self.outbound_requests_whitelist.reject! { |d| d.empty? } + self.outbound_requests_whitelist + end + def domain_whitelist_raw self.domain_whitelist&.join("\n") end @@ -156,6 +168,17 @@ module ApplicationSettingImplementation self.domain_blacklist_raw = file.read end + def outbound_requests_whitelist_raw + self.outbound_requests_whitelist = string_to_array(values) + end + + def outbound_requests_whitelist_raw=(values) + self.outbound_requests_whitelist = [] + self.outbound_requests_whitelist = values.split(DOMAIN_LIST_SEPARATOR) + self.outbound_requests_whitelist.reject! { |d| d.empty? } + self.outbound_requests_whitelist + end + def repository_storages Array(read_attribute(:repository_storages)) end diff --git a/app/views/admin/application_settings/_outbound.html.haml b/app/views/admin/application_settings/_outbound.html.haml index d16304ed338..c302b042a95 100644 --- a/app/views/admin/application_settings/_outbound.html.haml +++ b/app/views/admin/application_settings/_outbound.html.haml @@ -8,6 +8,10 @@ = f.label :allow_local_requests_from_hooks_and_services, class: 'form-check-label' do Allow requests to the local network from hooks and services + = f.label :web_hook_uri_whitelist, class: 'label-bold' do + URI of trusted services for web hook integrations + = f.text_field :web_hook_uri_whitelist, placeholder: "example.com,192.168.1.1", class: 'form-control' + .form-group .form-check = f.check_box :dns_rebinding_protection_enabled, class: 'form-check-input' diff --git a/changelogs/unreleased/add-outbound-requests-whitelist-for-local-networks.yml b/changelogs/unreleased/add-outbound-requests-whitelist-for-local-networks.yml new file mode 100644 index 00000000000..41305aa160e --- /dev/null +++ b/changelogs/unreleased/add-outbound-requests-whitelist-for-local-networks.yml @@ -0,0 +1,6 @@ +--- +title: Add Outbound requests whitelist for local networks +merge_request: 21377 +author: Istvan Szalai +type: added + diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index 494c4dd1f93..64a004ac620 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -197,6 +197,7 @@ Settings.gitlab.default_projects_features['snippets'] = true if Settin Settings.gitlab.default_projects_features['builds'] = true if Settings.gitlab.default_projects_features['builds'].nil? Settings.gitlab.default_projects_features['container_registry'] = true if Settings.gitlab.default_projects_features['container_registry'].nil? Settings.gitlab.default_projects_features['visibility_level'] = Settings.__send__(:verify_constant, Gitlab::VisibilityLevel, Settings.gitlab.default_projects_features['visibility_level'], Gitlab::VisibilityLevel::PRIVATE) +Settings.gitlab['outbound_requests_whitelist'] ||= [] Settings.gitlab['domain_whitelist'] ||= [] Settings.gitlab['import_sources'] ||= Gitlab::ImportSources.values Settings.gitlab['trusted_proxies'] ||= [] diff --git a/db/migrate/20180824202952_add_outbound_requests_whitelist_to_application_settings.rb b/db/migrate/20180824202952_add_outbound_requests_whitelist_to_application_settings.rb new file mode 100644 index 00000000000..f43a9c19048 --- /dev/null +++ b/db/migrate/20180824202952_add_outbound_requests_whitelist_to_application_settings.rb @@ -0,0 +1,9 @@ +class AddOutboundRequestsWhitelistToApplicationSettings < ActiveRecord::Migration + + # Set this constant to true if this migration requires downtime. + DOWNTIME = false + + def change + add_column :application_settings, :outbound_requests_whitelist, :text + end +end diff --git a/doc/api/settings.md b/doc/api/settings.md index ff48cac1f47..695eff1dad0 100644 --- a/doc/api/settings.md +++ b/doc/api/settings.md @@ -39,6 +39,7 @@ Example response: "session_expire_delay" : 10080, "home_page_url" : null, "default_snippet_visibility" : "private", + "outbound_requests_whitelist": [], "domain_whitelist" : [], "domain_blacklist_enabled" : false, "domain_blacklist" : [], @@ -113,6 +114,7 @@ Example response: "default_project_visibility": "internal", "default_snippet_visibility": "private", "default_group_visibility": "private", + "outbound_requests_whitelist": [], "domain_whitelist": [], "domain_blacklist_enabled" : false, "domain_blacklist" : [], @@ -193,6 +195,7 @@ are listed in the descriptions of the relevant settings. | `domain_blacklist` | array of strings | required by: `domain_blacklist_enabled` | Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: `domain.com`, `*.domain.com`. | | `domain_blacklist_enabled` | boolean | no | (**If enabled, requires:** `domain_blacklist`) Allows blocking sign-ups from emails from specific domains. | | `domain_whitelist` | array of strings | no | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. | +| `outbound_requests_whitelist` | array of strings | no | Define a list of trusted domains or ip addresses for outbound requests. | `dsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. | | `ecdsa_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. | | `ed25519_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `0` (no restriction). `-1` disables ED25519 keys. | diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb index f6b2e2acf16..8732e5dec09 100644 --- a/lib/gitlab/url_blocker.rb +++ b/lib/gitlab/url_blocker.rb @@ -231,6 +231,10 @@ module Gitlab (uri.port.blank? || uri.port == config.gitlab_shell.ssh_port) end + def whitelisted?(uri) + config.gitlab.outbound_requests_whitelist.include?(uri) + end + def config Gitlab.config end diff --git a/spec/support/shared_examples/application_setting_examples.rb b/spec/support/shared_examples/application_setting_examples.rb index e7ec24c5b7e..1fcc304e941 100644 --- a/spec/support/shared_examples/application_setting_examples.rb +++ b/spec/support/shared_examples/application_setting_examples.rb @@ -23,6 +23,28 @@ RSpec.shared_examples 'application settings examples' do end end + context 'restricted outbound requests domain' do + it 'sets outbound requests domain' do + setting.outbound_requests_whitelist_raw = 'example.com' + expect(setting.outbound_requests_whitelist).to eq(['example.com']) + end + + it 'sets multiple outbound requests domain with spaces' do + setting.outbound_requests_whitelist_raw = 'example.com *.example.com' + expect(setting.outbound_requests_whitelist).to eq(['example.com', '*.example.com']) + end + + it 'sets multiple outbound requests domains with newlines and a space' do + setting.outbound_requests_whitelist_raw = "example.com\n *.example.com" + expect(setting.outbound_requests_whitelist).to eq(['example.com', '*.example.com']) + end + + it 'sets multiple outbound requests domains with commas' do + setting.outbound_requests_whitelist_raw = "example.com, *.example.com" + expect(setting.outbound_requests_whitelist).to eq(['example.com', '*.example.com']) + end + end + context 'blacklisted signup domains' do it 'sets single domain' do setting.domain_blacklist_raw = 'example.com' |