diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-06 21:12:45 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-06 21:12:45 +0000 |
commit | 8ec004d6d8d92f00d0598e94ede4d31ab1e8f18e (patch) | |
tree | 525dcb81832e5ad142cc1f2aeff2f38c51f80aa4 /lib | |
parent | e22c3819ad2321a0cf825877fe3b60e41268c5b3 (diff) | |
download | gitlab-ce-8ec004d6d8d92f00d0598e94ede4d31ab1e8f18e.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/url_blocker.rb | 26 | ||||
-rw-r--r-- | lib/sidebars/projects/menus/security_compliance_menu.rb | 2 |
2 files changed, 26 insertions, 2 deletions
diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb index f93b87131c7..de01b6044b3 100644 --- a/lib/gitlab/url_blocker.rb +++ b/lib/gitlab/url_blocker.rb @@ -69,6 +69,8 @@ module Gitlab return protected_uri_with_hostname if allow_object_storage && object_storage_endpoint?(uri) + validate_deny_all_requests_except_allowed! + validate_local_request( address_info: address_info, allow_localhost: allow_localhost, @@ -139,7 +141,14 @@ module Gitlab end def enforce_address_info_retrievable?(uri, dns_rebind_protection) - return false if !dns_rebind_protection || domain_in_allow_list?(uri) + # Do not enforce if URI is in the allow list + return false if domain_in_allow_list?(uri) + + # Enforce if the instance should block requests + return true if deny_all_requests_except_allowed? + + # Do not enforce unless DNS rebinding protection is enabled + return false unless dns_rebind_protection # In the test suite we use a lot of mocked urls that are either invalid or # don't exist. In order to avoid modifying a ton of tests and factories @@ -270,6 +279,15 @@ module Gitlab raise BlockedUrlError, "Requests to the link local network are not allowed" end + # Raises a BlockedUrlError if the instance is configured to deny all requests. + # + # This should only be called after allow list checks have been made. + def validate_deny_all_requests_except_allowed! + return unless deny_all_requests_except_allowed? + + raise BlockedUrlError, "Requests to hosts and IP addresses not on the Allow List are denied" + end + # Raises a BlockedUrlError if any IP in `addrs_info` is the limited # broadcast address. # https://datatracker.ietf.org/doc/html/rfc919#section-7 @@ -312,6 +330,12 @@ module Gitlab end.compact.uniq end + def deny_all_requests_except_allowed? + Feature.enabled?(:deny_all_requests_except_allowed) && + Gitlab::CurrentSettings.current_application_settings? && + Gitlab::CurrentSettings.deny_all_requests_except_allowed? + end + def object_storage_endpoint?(uri) enabled_object_storage_endpoints.any? do |endpoint| endpoint_uri = URI(endpoint) diff --git a/lib/sidebars/projects/menus/security_compliance_menu.rb b/lib/sidebars/projects/menus/security_compliance_menu.rb index 1e5a7cecdb2..58a7ab4e8f0 100644 --- a/lib/sidebars/projects/menus/security_compliance_menu.rb +++ b/lib/sidebars/projects/menus/security_compliance_menu.rb @@ -33,7 +33,7 @@ module Sidebars end ::Sidebars::MenuItem.new( - title: _('Configuration'), + title: _('Security configuration'), link: project_security_configuration_path(context.project), active_routes: { path: configuration_menu_item_paths }, item_id: :configuration |