diff options
author | Stan Hu <stanhu@gmail.com> | 2017-03-24 15:02:23 -0700 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2017-03-24 15:02:23 -0700 |
commit | e1bb8c99cf7840c8b5d981111857b7d16b9cc1bd (patch) | |
tree | 9737570f75dbb84a325537cd1863301e42234fee /app/validators | |
parent | f6ededfa07a2fe9f3dd1c4d7e247b0f784f8181a (diff) | |
parent | f1e1e51311b6f50c98b3e1476942107269c28a97 (diff) | |
download | gitlab-ce-e1bb8c99cf7840c8b5d981111857b7d16b9cc1bd.tar.gz |
Merge branch 'master' into sh-bring-back-option-to-be-notified-of-own-activity
Diffstat (limited to 'app/validators')
-rw-r--r-- | app/validators/importable_url_validator.rb | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/app/validators/importable_url_validator.rb b/app/validators/importable_url_validator.rb new file mode 100644 index 00000000000..37a314adee6 --- /dev/null +++ b/app/validators/importable_url_validator.rb @@ -0,0 +1,11 @@ +# ImportableUrlValidator +# +# This validator blocks projects from using dangerous import_urls to help +# protect against Server-side Request Forgery (SSRF). +class ImportableUrlValidator < ActiveModel::EachValidator + def validate_each(record, attribute, value) + if Gitlab::UrlBlocker.blocked_url?(value) + record.errors.add(attribute, "imports are not allowed from that URL") + end + end +end |