diff options
author | Thiago Presa <tpresa@gitlab.com> | 2018-10-23 02:20:39 +0000 |
---|---|---|
committer | Thiago Presa <tpresa@gitlab.com> | 2018-10-24 21:59:31 -0300 |
commit | 39473cc0addedc3d9b7aebe37b4470904c68eaea (patch) | |
tree | 8d8cfd6b948f70eafca8ab1073b02b5602cc0747 | |
parent | b124ad85adfda6a7e2abbfaa6d8d4d4c756cbcbb (diff) | |
download | gitlab-ce-39473cc0addedc3d9b7aebe37b4470904c68eaea.tar.gz |
Merge branch 'sh-block-other-localhost-11-2' into 'security-11-2'
[11.2] Prevent SSRF attacks in HipChat integration
See merge request gitlab/gitlabhq!2549
-rw-r--r-- | changelogs/unreleased/sh-fix-hipchat-ssrf.yml | 5 | ||||
-rw-r--r-- | config/initializers/hipchat_client_patch.rb | 14 | ||||
-rw-r--r-- | spec/models/project_services/hipchat_service_spec.rb | 18 |
3 files changed, 37 insertions, 0 deletions
diff --git a/changelogs/unreleased/sh-fix-hipchat-ssrf.yml b/changelogs/unreleased/sh-fix-hipchat-ssrf.yml new file mode 100644 index 00000000000..cdc95a34fcf --- /dev/null +++ b/changelogs/unreleased/sh-fix-hipchat-ssrf.yml @@ -0,0 +1,5 @@ +--- +title: Prevent SSRF attacks in HipChat integration +merge_request: +author: +type: security diff --git a/config/initializers/hipchat_client_patch.rb b/config/initializers/hipchat_client_patch.rb new file mode 100644 index 00000000000..aec265312bb --- /dev/null +++ b/config/initializers/hipchat_client_patch.rb @@ -0,0 +1,14 @@ +# This monkey patches the HTTParty used in https://github.com/hipchat/hipchat-rb. +module HipChat + class Client + connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter + end + + class Room + connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter + end + + class User + connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter + end +end diff --git a/spec/models/project_services/hipchat_service_spec.rb b/spec/models/project_services/hipchat_service_spec.rb index 0cd712e2f40..b0fd2ceead0 100644 --- a/spec/models/project_services/hipchat_service_spec.rb +++ b/spec/models/project_services/hipchat_service_spec.rb @@ -387,4 +387,22 @@ describe HipchatService do end end end + + context 'with UrlBlocker' do + let(:user) { create(:user) } + let(:project) { create(:project, :repository) } + let(:hipchat) { described_class.new(project: project) } + let(:push_sample_data) { Gitlab::DataBuilder::Push.build_sample(project, user) } + + describe '#execute' do + before do + hipchat.server = 'http://localhost:9123' + end + + it 'raises UrlBlocker for localhost' do + expect(Gitlab::UrlBlocker).to receive(:validate!).and_call_original + expect { hipchat.execute(push_sample_data) }.to raise_error(Gitlab::HTTP::BlockedUrlError) + end + end + end end |