diff options
author | manojmj <mmj@gitlab.com> | 2019-06-27 14:44:01 +0530 |
---|---|---|
committer | manojmj <mmj@gitlab.com> | 2019-07-05 15:09:04 +0530 |
commit | c93ce836930a875452432ccc0c92733fb8adda29 (patch) | |
tree | a29f7f6461bfd79983cb305d9a7d89ff5ecec3b3 /spec/lib/gitlab/octokit | |
parent | d1154dcd2b3b126cc4d6c3bba87c47b6669e697c (diff) | |
download | gitlab-ce-c93ce836930a875452432ccc0c92733fb8adda29.tar.gz |
Do not allow localhost url redirection in GitHub Integration
Diffstat (limited to 'spec/lib/gitlab/octokit')
-rw-r--r-- | spec/lib/gitlab/octokit/middleware_spec.rb | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/spec/lib/gitlab/octokit/middleware_spec.rb b/spec/lib/gitlab/octokit/middleware_spec.rb new file mode 100644 index 00000000000..7f2b523f5b7 --- /dev/null +++ b/spec/lib/gitlab/octokit/middleware_spec.rb @@ -0,0 +1,68 @@ +require 'spec_helper' + +describe Gitlab::Octokit::Middleware do + let(:app) { double(:app) } + let(:middleware) { described_class.new(app) } + + shared_examples 'Public URL' do + it 'does not raise an error' do + expect(app).to receive(:call).with(env) + + expect { middleware.call(env) }.not_to raise_error + end + end + + shared_examples 'Local URL' do + it 'raises an error' do + expect { middleware.call(env) }.to raise_error(Gitlab::UrlBlocker::BlockedUrlError) + end + end + + describe '#call' do + context 'when the URL is a public URL' do + let(:env) { { url: 'https://public-url.com' } } + + it_behaves_like 'Public URL' + end + + context 'when the URL is a localhost adresss' do + let(:env) { { url: 'http://127.0.0.1' } } + + context 'when localhost requests are not allowed' do + before do + stub_application_setting(allow_local_requests_from_hooks_and_services: false) + end + + it_behaves_like 'Local URL' + end + + context 'when localhost requests are allowed' do + before do + stub_application_setting(allow_local_requests_from_hooks_and_services: true) + end + + it_behaves_like 'Public URL' + end + end + + context 'when the URL is a local network address' do + let(:env) { { url: 'http://172.16.0.0' } } + + context 'when local network requests are not allowed' do + before do + stub_application_setting(allow_local_requests_from_hooks_and_services: false) + end + + it_behaves_like 'Local URL' + end + + context 'when local network requests are allowed' do + before do + stub_application_setting(allow_local_requests_from_hooks_and_services: true) + end + + it_behaves_like 'Public URL' + end + end + end +end |