diff options
| author | Thiago Presa <tpresa@gitlab.com> | 2018-10-23 02:20:26 +0000 |
|---|---|---|
| committer | Thiago Presa <tpresa@gitlab.com> | 2018-10-24 21:38:43 -0300 |
| commit | 5bc0403f4516faff376b9d2de54ebb7cf2747aa1 (patch) | |
| tree | 59ba5fa7b5ecd494b8553466fe56dbb7ed4a7bbe | |
| parent | 3c1fdf6b5fd478d395b13b3b40ab3d1de20ed7e1 (diff) | |
| download | gitlab-ce-5bc0403f4516faff376b9d2de54ebb7cf2747aa1.tar.gz | |
Merge branch 'sh-block-other-localhost-11-3' into 'security-11-3'
[11.3] Prevent SSRF attacks in HipChat integration
See merge request gitlab/gitlabhq!2548
| -rw-r--r-- | changelogs/unreleased/sh-fix-hipchat-ssrf.yml | 5 | ||||
| -rw-r--r-- | config/initializers/hipchat_client_patch.rb | 14 | ||||
| -rw-r--r-- | spec/models/project_services/hipchat_service_spec.rb | 18 |
3 files changed, 37 insertions, 0 deletions
diff --git a/changelogs/unreleased/sh-fix-hipchat-ssrf.yml b/changelogs/unreleased/sh-fix-hipchat-ssrf.yml new file mode 100644 index 00000000000..cdc95a34fcf --- /dev/null +++ b/changelogs/unreleased/sh-fix-hipchat-ssrf.yml @@ -0,0 +1,5 @@ +--- +title: Prevent SSRF attacks in HipChat integration +merge_request: +author: +type: security diff --git a/config/initializers/hipchat_client_patch.rb b/config/initializers/hipchat_client_patch.rb new file mode 100644 index 00000000000..aec265312bb --- /dev/null +++ b/config/initializers/hipchat_client_patch.rb @@ -0,0 +1,14 @@ +# This monkey patches the HTTParty used in https://github.com/hipchat/hipchat-rb. +module HipChat + class Client + connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter + end + + class Room + connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter + end + + class User + connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter + end +end diff --git a/spec/models/project_services/hipchat_service_spec.rb b/spec/models/project_services/hipchat_service_spec.rb index 0cd712e2f40..b0fd2ceead0 100644 --- a/spec/models/project_services/hipchat_service_spec.rb +++ b/spec/models/project_services/hipchat_service_spec.rb @@ -387,4 +387,22 @@ describe HipchatService do end end end + + context 'with UrlBlocker' do + let(:user) { create(:user) } + let(:project) { create(:project, :repository) } + let(:hipchat) { described_class.new(project: project) } + let(:push_sample_data) { Gitlab::DataBuilder::Push.build_sample(project, user) } + + describe '#execute' do + before do + hipchat.server = 'http://localhost:9123' + end + + it 'raises UrlBlocker for localhost' do + expect(Gitlab::UrlBlocker).to receive(:validate!).and_call_original + expect { hipchat.execute(push_sample_data) }.to raise_error(Gitlab::HTTP::BlockedUrlError) + end + end + end end |