Merge branch 'ssrf' into 'security'

Protect server against SSRF in project import URLs See merge request !2068
author: Douwe Maan <douwe@gitlab.com> 2017-03-15 20:09:08 +0000
committer: DJ Mountney <david@twkie.net> 2017-03-20 18:53:04 -0700
commit: 65aafb9917fb8fd4d26ca096681ca29a9a6ddda2 (patch)
tree: ea67256a897d4b1b8921d6b68652f8a5f0e948ab /app/validators
parent: c5a9d73ad8a141166d871e551027208014a281c0 (diff)
download: gitlab-ce-65aafb9917fb8fd4d26ca096681ca29a9a6ddda2.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/app/validators/importable_url_validator.rb b/app/validators/importable_url_validator.rb
new file mode 100644
index 00000000000..37a314adee6
--- /dev/null
+++ b/app/validators/importable_url_validator.rb
@@ -0,0 +1,11 @@
+# ImportableUrlValidator
+#
+# This validator blocks projects from using dangerous import_urls to help
+# protect against Server-side Request Forgery (SSRF).
+class ImportableUrlValidator < ActiveModel::EachValidator
+  def validate_each(record, attribute, value)
+    if Gitlab::UrlBlocker.blocked_url?(value)
+      record.errors.add(attribute, "imports are not allowed from that URL")
+    end
+  end
+end
author	Douwe Maan <douwe@gitlab.com>	2017-03-15 20:09:08 +0000
committer	DJ Mountney <david@twkie.net>	2017-03-20 18:53:04 -0700
commit	65aafb9917fb8fd4d26ca096681ca29a9a6ddda2 (patch)
tree	ea67256a897d4b1b8921d6b68652f8a5f0e948ab /app/validators
parent	c5a9d73ad8a141166d871e551027208014a281c0 (diff)
download	gitlab-ce-65aafb9917fb8fd4d26ca096681ca29a9a6ddda2.tar.gz