diff options
| author | Douwe Maan <douwe@gitlab.com> | 2018-03-13 22:38:30 +0000 |
|---|---|---|
| committer | Mark Fletcher <mark@gitlab.com> | 2018-03-16 11:35:44 +0000 |
| commit | 2655d95d87a7f46029248062514daa3de2efde9b (patch) | |
| tree | df07573750b19dcaa6b4256cf822297e253f31d0 /spec/lib/gitlab/http_spec.rb | |
| parent | b825ba005e9be92c3e55ef68cdb3894732765f14 (diff) | |
| download | gitlab-ce-2655d95d87a7f46029248062514daa3de2efde9b.tar.gz | |
Merge branch 'fj-15329-services-callbacks-ssrf-10-3' into 'security-10-3'
[10.3] Server Side Request Forgery in Services and Web Hooks
See merge request gitlab/gitlabhq!2346
Diffstat (limited to 'spec/lib/gitlab/http_spec.rb')
| -rw-r--r-- | spec/lib/gitlab/http_spec.rb | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/spec/lib/gitlab/http_spec.rb b/spec/lib/gitlab/http_spec.rb new file mode 100644 index 00000000000..3e0957f74c9 --- /dev/null +++ b/spec/lib/gitlab/http_spec.rb @@ -0,0 +1,49 @@ +require 'spec_helper' + +describe Gitlab::HTTP do + describe 'allow_local_requests_from_hooks_and_services is' do + before do + WebMock.stub_request(:get, /.*/).to_return(status: 200, body: 'Success') + end + + context 'disabled' do + before do + allow(Gitlab::CurrentSettings).to receive(:allow_local_requests_from_hooks_and_services?).and_return(false) + end + + it 'deny requests to localhost' do + expect { described_class.get('http://localhost:3003') }.to raise_error(URI::InvalidURIError) + end + + it 'deny requests to private network' do + expect { described_class.get('http://192.168.1.2:3003') }.to raise_error(URI::InvalidURIError) + end + + context 'if allow_local_requests set to true' do + it 'override the global value and allow requests to localhost or private network' do + expect { described_class.get('http://localhost:3003', allow_local_requests: true) }.not_to raise_error + end + end + end + + context 'enabled' do + before do + allow(Gitlab::CurrentSettings.current_application_settings).to receive(:allow_local_requests_from_hooks_and_services?).and_return(true) + end + + it 'allow requests to localhost' do + expect { described_class.get('http://localhost:3003') }.not_to raise_error + end + + it 'allow requests to private network' do + expect { described_class.get('http://192.168.1.2:3003') }.not_to raise_error + end + + context 'if allow_local_requests set to false' do + it 'override the global value and ban requests to localhost or private network' do + expect { described_class.get('http://localhost:3003', allow_local_requests: false) }.to raise_error(URI::InvalidURIError) + end + end + end + end +end |