diff options
| author | Francisco Javier López <fjlopez@gitlab.com> | 2019-09-03 11:12:39 +0200 |
|---|---|---|
| committer | Francisco Javier López <fjlopez@gitlab.com> | 2019-09-05 08:18:44 +0200 |
| commit | 8f07ba0d17f98ac50e50994dbc82c7c882f1355f (patch) | |
| tree | 46dc678ca07c374f55f8803feb3edbed8ce8a9ad | |
| parent | 86a3d82298ea9137c467129d1c828b92d7392ecd (diff) | |
| download | gitlab-ce-fj-remove-dns-protection-when-validating.tar.gz | |
Avoid checking dns rebind protection in validationfj-remove-dns-protection-when-validating
| -rw-r--r-- | app/validators/addressable_url_validator.rb | 8 | ||||
| -rw-r--r-- | changelogs/unreleased/fj-remove-dns-protection-when-validating.yml | 5 | ||||
| -rw-r--r-- | spec/validators/addressable_url_validator_spec.rb | 37 |
3 files changed, 49 insertions, 1 deletions
diff --git a/app/validators/addressable_url_validator.rb b/app/validators/addressable_url_validator.rb index bb445499cee..f292730441c 100644 --- a/app/validators/addressable_url_validator.rb +++ b/app/validators/addressable_url_validator.rb @@ -42,6 +42,11 @@ class AddressableUrlValidator < ActiveModel::EachValidator attr_reader :record + # By default, we avoid checking the dns rebinding protection + # when saving/updating a record. Sometimes, the url + # is not resolvable at that point, and some automated + # tasks that uses that url won't work. + # See https://gitlab.com/gitlab-org/gitlab-ce/issues/66723 BLOCKER_VALIDATE_OPTIONS = { schemes: %w(http https), ports: [], @@ -49,7 +54,8 @@ class AddressableUrlValidator < ActiveModel::EachValidator allow_local_network: true, ascii_only: false, enforce_user: false, - enforce_sanitization: false + enforce_sanitization: false, + dns_rebind_protection: false }.freeze DEFAULT_OPTIONS = BLOCKER_VALIDATE_OPTIONS.merge({ diff --git a/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml b/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml new file mode 100644 index 00000000000..9c74f8d69c7 --- /dev/null +++ b/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml @@ -0,0 +1,5 @@ +--- +title: Avoid checking dns rebind protection when validating +merge_request: 32577 +author: +type: fixed diff --git a/spec/validators/addressable_url_validator_spec.rb b/spec/validators/addressable_url_validator_spec.rb index 387e84b2d04..6927a1f67a1 100644 --- a/spec/validators/addressable_url_validator_spec.rb +++ b/spec/validators/addressable_url_validator_spec.rb @@ -92,6 +92,15 @@ describe AddressableUrlValidator do expect(badge.errors).to be_empty expect(badge.link_url).to eq('https://127.0.0.1') end + + it 'allows urls that cannot be resolved' do + stub_env('RSPEC_ALLOW_INVALID_URLS', 'false') + badge.link_url = 'http://foobar.x' + + subject + + expect(badge.errors).to be_empty + end end context 'when message is set' do @@ -312,4 +321,32 @@ describe AddressableUrlValidator do end end end + + context 'when dns_rebind_protection is' do + let(:not_resolvable_url) { 'http://foobar.x' } + let(:validator) { described_class.new(attributes: [:link_url], dns_rebind_protection: dns_value) } + + before do + stub_env('RSPEC_ALLOW_INVALID_URLS', 'false') + badge.link_url = not_resolvable_url + + subject + end + + context 'true' do + let(:dns_value) { true } + + it 'raises error' do + expect(badge.errors).to be_present + end + end + + context 'false' do + let(:dns_value) { false } + + it 'allows urls that cannot be resolved' do + expect(badge.errors).to be_empty + end + end + end end |