diff options
author | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 19:06:44 +0000 |
---|---|---|
committer | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 19:14:06 -0500 |
commit | c0e5d9afee57745a79c072b0f57fdcbe164312da (patch) | |
tree | bb779e510a00b4b7ad64abf9f32cb7b4ba1ebe38 /lib/gitlab/url_blocker.rb | |
parent | fe5f75930e781ef854b458fafa307ebb90a8ed2e (diff) | |
download | gitlab-ce-c0e5d9afee57745a79c072b0f57fdcbe164312da.tar.gz |
Merge branch 'security-fj-crlf-injection' into 'master'
[master] Fix CRLF issue in UrlValidator
See merge request gitlab/gitlabhq!2627
Diffstat (limited to 'lib/gitlab/url_blocker.rb')
-rw-r--r-- | lib/gitlab/url_blocker.rb | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb index 4b1b58d68d8..fa401abc6bb 100644 --- a/lib/gitlab/url_blocker.rb +++ b/lib/gitlab/url_blocker.rb @@ -10,11 +10,8 @@ module Gitlab def validate!(url, allow_localhost: false, allow_local_network: true, enforce_user: false, ports: [], protocols: []) return true if url.nil? - begin - uri = Addressable::URI.parse(url) - rescue Addressable::URI::InvalidURIError - raise BlockedUrlError, "URI is invalid" - end + # Param url can be a string, URI or Addressable::URI + uri = parse_url(url) # Allow imports from the GitLab instance itself but only from the configured ports return true if internal?(uri) @@ -49,6 +46,18 @@ module Gitlab private + def parse_url(url) + raise Addressable::URI::InvalidURIError if multiline?(url) + + Addressable::URI.parse(url) + rescue Addressable::URI::InvalidURIError, URI::InvalidURIError + raise BlockedUrlError, 'URI is invalid' + end + + def multiline?(url) + CGI.unescape(url.to_s) =~ /\n|\r/ + end + def validate_port!(port, ports) return if port.blank? # Only ports under 1024 are restricted |