diff options
| author | Thong Kuah <tkuah@gitlab.com> | 2019-09-05 09:11:15 +0000 |
|---|---|---|
| committer | Thong Kuah <tkuah@gitlab.com> | 2019-09-05 09:11:15 +0000 |
| commit | 4e9c531a84c012d2947e39d483531895d02208ea (patch) | |
| tree | 13528ed19cbc5c7a30fd0945223b8f2d84e9396b | |
| parent | 8d93ec2e90edde1b519fa59fdc8e2af12d76d4c0 (diff) | |
| parent | 537eb0bb2d4d8a2af9753850c4a85fc473b68d8d (diff) | |
| download | gitlab-ce-4e9c531a84c012d2947e39d483531895d02208ea.tar.gz | |
Merge branch 'fj-remove-dns-protection-when-validating' into 'master'
Avoid checking dns rebind protection in validation
Closes #66723
See merge request gitlab-org/gitlab-ce!32577
| -rw-r--r-- | app/validators/addressable_url_validator.rb | 8 | ||||
| -rw-r--r-- | changelogs/unreleased/fj-remove-dns-protection-when-validating.yml | 5 | ||||
| -rw-r--r-- | spec/validators/addressable_url_validator_spec.rb | 37 |
3 files changed, 49 insertions, 1 deletions
diff --git a/app/validators/addressable_url_validator.rb b/app/validators/addressable_url_validator.rb index bb445499cee..f292730441c 100644 --- a/app/validators/addressable_url_validator.rb +++ b/app/validators/addressable_url_validator.rb @@ -42,6 +42,11 @@ class AddressableUrlValidator < ActiveModel::EachValidator attr_reader :record + # By default, we avoid checking the dns rebinding protection + # when saving/updating a record. Sometimes, the url + # is not resolvable at that point, and some automated + # tasks that uses that url won't work. + # See https://gitlab.com/gitlab-org/gitlab-ce/issues/66723 BLOCKER_VALIDATE_OPTIONS = { schemes: %w(http https), ports: [], @@ -49,7 +54,8 @@ class AddressableUrlValidator < ActiveModel::EachValidator allow_local_network: true, ascii_only: false, enforce_user: false, - enforce_sanitization: false + enforce_sanitization: false, + dns_rebind_protection: false }.freeze DEFAULT_OPTIONS = BLOCKER_VALIDATE_OPTIONS.merge({ diff --git a/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml b/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml new file mode 100644 index 00000000000..9c74f8d69c7 --- /dev/null +++ b/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml @@ -0,0 +1,5 @@ +--- +title: Avoid checking dns rebind protection when validating +merge_request: 32577 +author: +type: fixed diff --git a/spec/validators/addressable_url_validator_spec.rb b/spec/validators/addressable_url_validator_spec.rb index 387e84b2d04..6927a1f67a1 100644 --- a/spec/validators/addressable_url_validator_spec.rb +++ b/spec/validators/addressable_url_validator_spec.rb @@ -92,6 +92,15 @@ describe AddressableUrlValidator do expect(badge.errors).to be_empty expect(badge.link_url).to eq('https://127.0.0.1') end + + it 'allows urls that cannot be resolved' do + stub_env('RSPEC_ALLOW_INVALID_URLS', 'false') + badge.link_url = 'http://foobar.x' + + subject + + expect(badge.errors).to be_empty + end end context 'when message is set' do @@ -312,4 +321,32 @@ describe AddressableUrlValidator do end end end + + context 'when dns_rebind_protection is' do + let(:not_resolvable_url) { 'http://foobar.x' } + let(:validator) { described_class.new(attributes: [:link_url], dns_rebind_protection: dns_value) } + + before do + stub_env('RSPEC_ALLOW_INVALID_URLS', 'false') + badge.link_url = not_resolvable_url + + subject + end + + context 'true' do + let(:dns_value) { true } + + it 'raises error' do + expect(badge.errors).to be_present + end + end + + context 'false' do + let(:dns_value) { false } + + it 'allows urls that cannot be resolved' do + expect(badge.errors).to be_empty + end + end + end end |