diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-07-26 13:41:05 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-07-26 13:41:05 +0000 |
| commit | c4bc5dffa48d6d4eaa8e2dd294650ba25acf90b5 (patch) | |
| tree | 15d42ea447813d40940d7b672d0d717f4a222244 /lib | |
| parent | 890c1421a4b28cdc65427235cd5a397c5d1be9c4 (diff) | |
| parent | c93ce836930a875452432ccc0c92733fb8adda29 (diff) | |
| download | gitlab-ce-c4bc5dffa48d6d4eaa8e2dd294650ba25acf90b5.tar.gz | |
Merge branch 'security-github-ssrf-redirect' into 'master'
Do not allow localhost url redirection in GitHub Integration
See merge request gitlab/gitlabhq!3188
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/github_import/client.rb | 4 | ||||
| -rw-r--r-- | lib/gitlab/legacy_github_import/client.rb | 2 | ||||
| -rw-r--r-- | lib/gitlab/octokit/middleware.rb | 23 |
3 files changed, 26 insertions, 3 deletions
diff --git a/lib/gitlab/github_import/client.rb b/lib/gitlab/github_import/client.rb index a61beafae0d..826b35d685c 100644 --- a/lib/gitlab/github_import/client.rb +++ b/lib/gitlab/github_import/client.rb @@ -40,7 +40,7 @@ module Gitlab # otherwise hitting the rate limit will result in a thread # being blocked in a `sleep()` call for up to an hour. def initialize(token, per_page: 100, parallel: true) - @octokit = Octokit::Client.new( + @octokit = ::Octokit::Client.new( access_token: token, per_page: per_page, api_endpoint: api_endpoint @@ -139,7 +139,7 @@ module Gitlab begin yield - rescue Octokit::TooManyRequests + rescue ::Octokit::TooManyRequests raise_or_wait_for_rate_limit # This retry will only happen when running in sequential mode as we'll diff --git a/lib/gitlab/legacy_github_import/client.rb b/lib/gitlab/legacy_github_import/client.rb index bbdd094e33b..b23efd64dee 100644 --- a/lib/gitlab/legacy_github_import/client.rb +++ b/lib/gitlab/legacy_github_import/client.rb @@ -101,7 +101,7 @@ module Gitlab # GitHub Rate Limit API returns 404 when the rate limit is # disabled. In this case we just want to return gracefully # instead of spitting out an error. - rescue Octokit::NotFound + rescue ::Octokit::NotFound nil end diff --git a/lib/gitlab/octokit/middleware.rb b/lib/gitlab/octokit/middleware.rb new file mode 100644 index 00000000000..2f762957d1b --- /dev/null +++ b/lib/gitlab/octokit/middleware.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +module Gitlab + module Octokit + class Middleware + def initialize(app) + @app = app + end + + def call(env) + Gitlab::UrlBlocker.validate!(env[:url], { allow_localhost: allow_local_requests?, allow_local_network: allow_local_requests? }) + + @app.call(env) + end + + private + + def allow_local_requests? + Gitlab::CurrentSettings.allow_local_requests_from_hooks_and_services? + end + end + end +end |