summaryrefslogtreecommitdiff
path: root/lib/mattermost
diff options
context:
space:
mode:
authorDouwe Maan <douwe@gitlab.com>2018-03-13 22:38:25 +0000
committerMark Fletcher <mark@gitlab.com>2018-03-21 14:39:21 +0000
commit95ced3bb5fa52e166aa03ee592f63180601cbde7 (patch)
tree8e75e6ccf9a443ba004b11891b84518fd7cfe884 /lib/mattermost
parent30c480c2b3f4709f592d8b095f8653df940f6845 (diff)
downloadgitlab-ce-95ced3bb5fa52e166aa03ee592f63180601cbde7.tar.gz
Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'
Server Side Request Forgery in Services and Web Hooks See merge request gitlab/gitlabhq!2337
Diffstat (limited to 'lib/mattermost')
-rw-r--r--lib/mattermost/session.rb22
1 files changed, 14 insertions, 8 deletions
diff --git a/lib/mattermost/session.rb b/lib/mattermost/session.rb
index 65ccdb3c347..a514ec15c2a 100644
--- a/lib/mattermost/session.rb
+++ b/lib/mattermost/session.rb
@@ -22,16 +22,14 @@ module Mattermost
# going.
class Session
include Doorkeeper::Helpers::Controller
- include HTTParty
LEASE_TIMEOUT = 60
- base_uri Settings.mattermost.host
-
- attr_accessor :current_resource_owner, :token
+ attr_accessor :current_resource_owner, :token, :base_uri
def initialize(current_user)
@current_resource_owner = current_user
+ @base_uri = Settings.mattermost.host
end
def with_session
@@ -73,13 +71,13 @@ module Mattermost
def get(path, options = {})
handle_exceptions do
- self.class.get(path, options.merge(headers: @headers))
+ Gitlab::HTTP.get(path, build_options(options))
end
end
def post(path, options = {})
handle_exceptions do
- self.class.post(path, options.merge(headers: @headers))
+ Gitlab::HTTP.post(path, build_options(options))
end
end
@@ -91,6 +89,14 @@ module Mattermost
private
+ def build_options(options)
+ options.tap do |hash|
+ hash[:headers] = @headers
+ hash[:allow_local_requests] = true
+ hash[:base_uri] = base_uri if base_uri.presence
+ end
+ end
+
def create
raise Mattermost::NoSessionError unless oauth_uri
raise Mattermost::NoSessionError unless token_uri
@@ -165,14 +171,14 @@ module Mattermost
def handle_exceptions
yield
- rescue HTTParty::Error => e
+ rescue Gitlab::HTTP::Error => e
raise Mattermost::ConnectionError.new(e.message)
rescue Errno::ECONNREFUSED => e
raise Mattermost::ConnectionError.new(e.message)
end
def parse_cookie(response)
- cookie_hash = CookieHash.new
+ cookie_hash = Gitlab::HTTP::CookieHash.new
response.get_fields('Set-Cookie').each { |c| cookie_hash.add_cookies(c) }
cookie_hash
end