diff options
author | Douwe Maan <douwe@gitlab.com> | 2017-03-15 20:09:08 +0000 |
---|---|---|
committer | DJ Mountney <david@twkie.net> | 2017-03-20 18:53:04 -0700 |
commit | 65aafb9917fb8fd4d26ca096681ca29a9a6ddda2 (patch) | |
tree | ea67256a897d4b1b8921d6b68652f8a5f0e948ab /app/validators | |
parent | c5a9d73ad8a141166d871e551027208014a281c0 (diff) | |
download | gitlab-ce-65aafb9917fb8fd4d26ca096681ca29a9a6ddda2.tar.gz |
Merge branch 'ssrf' into 'security'
Protect server against SSRF in project import URLs
See merge request !2068
Diffstat (limited to 'app/validators')
-rw-r--r-- | app/validators/importable_url_validator.rb | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/app/validators/importable_url_validator.rb b/app/validators/importable_url_validator.rb new file mode 100644 index 00000000000..37a314adee6 --- /dev/null +++ b/app/validators/importable_url_validator.rb @@ -0,0 +1,11 @@ +# ImportableUrlValidator +# +# This validator blocks projects from using dangerous import_urls to help +# protect against Server-side Request Forgery (SSRF). +class ImportableUrlValidator < ActiveModel::EachValidator + def validate_each(record, attribute, value) + if Gitlab::UrlBlocker.blocked_url?(value) + record.errors.add(attribute, "imports are not allowed from that URL") + end + end +end |