summaryrefslogtreecommitdiff
path: root/app/validators
diff options
context:
space:
mode:
authorStan Hu <stanhu@gmail.com>2017-03-24 15:02:23 -0700
committerStan Hu <stanhu@gmail.com>2017-03-24 15:02:23 -0700
commite1bb8c99cf7840c8b5d981111857b7d16b9cc1bd (patch)
tree9737570f75dbb84a325537cd1863301e42234fee /app/validators
parentf6ededfa07a2fe9f3dd1c4d7e247b0f784f8181a (diff)
parentf1e1e51311b6f50c98b3e1476942107269c28a97 (diff)
downloadgitlab-ce-e1bb8c99cf7840c8b5d981111857b7d16b9cc1bd.tar.gz
Merge branch 'master' into sh-bring-back-option-to-be-notified-of-own-activity
Diffstat (limited to 'app/validators')
-rw-r--r--app/validators/importable_url_validator.rb11
1 files changed, 11 insertions, 0 deletions
diff --git a/app/validators/importable_url_validator.rb b/app/validators/importable_url_validator.rb
new file mode 100644
index 00000000000..37a314adee6
--- /dev/null
+++ b/app/validators/importable_url_validator.rb
@@ -0,0 +1,11 @@
+# ImportableUrlValidator
+#
+# This validator blocks projects from using dangerous import_urls to help
+# protect against Server-side Request Forgery (SSRF).
+class ImportableUrlValidator < ActiveModel::EachValidator
+ def validate_each(record, attribute, value)
+ if Gitlab::UrlBlocker.blocked_url?(value)
+ record.errors.add(attribute, "imports are not allowed from that URL")
+ end
+ end
+end