diff options
author | Felipe Artur <felipefac@gmail.com> | 2019-07-16 16:49:47 -0300 |
---|---|---|
committer | Felipe Artur <felipefac@gmail.com> | 2019-08-08 10:24:43 -0300 |
commit | 492a7e753d0ef06458163aecc5ca43892a5acc73 (patch) | |
tree | 7af058671bea12ada48cef67ce2346d112d7e417 /spec/controllers | |
parent | 1dfbb27f6e8d01023564eededff2a0ba1a04badc (diff) | |
download | gitlab-ce-492a7e753d0ef06458163aecc5ca43892a5acc73.tar.gz |
Fix DNS rebind vulnerability for JIRA integration
Uses Gitlab::HTTP for JIRA requests instead of Net::Http.
Gitlab::Http comes with some built in SSRF protections.
Diffstat (limited to 'spec/controllers')
-rw-r--r-- | spec/controllers/projects/services_controller_spec.rb | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/spec/controllers/projects/services_controller_spec.rb b/spec/controllers/projects/services_controller_spec.rb index 68eabce8513..22ae65ea2fb 100644 --- a/spec/controllers/projects/services_controller_spec.rb +++ b/spec/controllers/projects/services_controller_spec.rb @@ -11,6 +11,7 @@ describe Projects::ServicesController do before do sign_in(user) project.add_maintainer(user) + allow(Gitlab::UrlBlocker).to receive(:validate!).and_return([URI.parse('http://example.com'), nil]) end describe '#test' do @@ -56,6 +57,8 @@ describe Projects::ServicesController do stub_request(:get, 'http://example.com/rest/api/2/serverInfo') .to_return(status: 200, body: '{}') + expect(Gitlab::HTTP).to receive(:get).with("/rest/api/2/serverInfo", any_args).and_call_original + put :test, params: { namespace_id: project.namespace, project_id: project, id: service.to_param, service: service_params } expect(response.status).to eq(200) @@ -66,6 +69,8 @@ describe Projects::ServicesController do stub_request(:get, 'http://example.com/rest/api/2/serverInfo') .to_return(status: 200, body: '{}') + expect(Gitlab::HTTP).to receive(:get).with("/rest/api/2/serverInfo", any_args).and_call_original + put :test, params: { namespace_id: project.namespace, project_id: project, id: service.to_param, service: service_params } expect(response.status).to eq(200) |