diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-01-10 20:39:45 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-01-10 20:40:15 +0000 |
commit | 14a8f06fe50418d1a9389806adcd7b0568b015a7 (patch) | |
tree | 35d4623beceb412981d60a4a1715fe0fe1e529d9 | |
parent | 13469ac241e92ca4d62b598d7b9edcee05bda493 (diff) | |
download | gitlab-ce-14a8f06fe50418d1a9389806adcd7b0568b015a7.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-4-stable-ee
-rw-r--r-- | lib/gitlab/url_blocker.rb | 4 | ||||
-rw-r--r-- | spec/lib/gitlab/url_blocker_spec.rb | 56 |
2 files changed, 40 insertions, 20 deletions
diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb index 10822f943b6..3267e92939e 100644 --- a/lib/gitlab/url_blocker.rb +++ b/lib/gitlab/url_blocker.rb @@ -246,13 +246,13 @@ module Gitlab def internal_web?(uri) uri.scheme == config.gitlab.protocol && uri.hostname == config.gitlab.host && - (uri.port.blank? || uri.port == config.gitlab.port) + get_port(uri) == config.gitlab.port end def internal_shell?(uri) uri.scheme == 'ssh' && uri.hostname == config.gitlab_shell.ssh_host && - (uri.port.blank? || uri.port == config.gitlab_shell.ssh_port) + get_port(uri) == config.gitlab_shell.ssh_port end def domain_allowed?(uri) diff --git a/spec/lib/gitlab/url_blocker_spec.rb b/spec/lib/gitlab/url_blocker_spec.rb index e076815c4f6..0713475d59b 100644 --- a/spec/lib/gitlab/url_blocker_spec.rb +++ b/spec/lib/gitlab/url_blocker_spec.rb @@ -531,24 +531,6 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do end end end - - def stub_domain_resolv(domain, ip, port = 80, &block) - address = instance_double(Addrinfo, - ip_address: ip, - ipv4_private?: true, - ipv6_linklocal?: false, - ipv4_loopback?: false, - ipv6_loopback?: false, - ipv4?: false, - ip_port: port - ) - allow(Addrinfo).to receive(:getaddrinfo).with(domain, port, any_args).and_return([address]) - allow(address).to receive(:ipv6_v4mapped?).and_return(false) - - yield - - allow(Addrinfo).to receive(:getaddrinfo).and_call_original - end end context 'when enforce_user is' do @@ -611,6 +593,44 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do expect(described_class).to be_blocked_url('http://foobar.x') end + + context 'when gitlab is running on a non-default port' do + let(:gitlab_port) { 3000 } + + before do + stub_config(gitlab: { protocol: 'http', host: 'gitlab.local', port: gitlab_port }) + end + + it 'returns true for url targeting the wrong port' do + stub_domain_resolv('gitlab.local', '127.0.0.1') do + expect(described_class).to be_blocked_url("http://gitlab.local/foo") + end + end + + it 'does not block url on gitlab port' do + stub_domain_resolv('gitlab.local', '127.0.0.1') do + expect(described_class).not_to be_blocked_url("http://gitlab.local:#{gitlab_port}/foo") + end + end + end + + def stub_domain_resolv(domain, ip, port = 80, &block) + address = instance_double(Addrinfo, + ip_address: ip, + ipv4_private?: true, + ipv6_linklocal?: false, + ipv4_loopback?: false, + ipv6_loopback?: false, + ipv4?: false, + ip_port: port + ) + allow(Addrinfo).to receive(:getaddrinfo).with(domain, port, any_args).and_return([address]) + allow(address).to receive(:ipv6_v4mapped?).and_return(false) + + yield + + allow(Addrinfo).to receive(:getaddrinfo).and_call_original + end end describe '#validate_hostname' do |