diff options
author | Douwe Maan <douwe@gitlab.com> | 2017-03-15 20:09:08 +0000 |
---|---|---|
committer | DJ Mountney <david@twkie.net> | 2017-03-20 18:53:04 -0700 |
commit | 65aafb9917fb8fd4d26ca096681ca29a9a6ddda2 (patch) | |
tree | ea67256a897d4b1b8921d6b68652f8a5f0e948ab /spec/lib/gitlab/url_blocker_spec.rb | |
parent | c5a9d73ad8a141166d871e551027208014a281c0 (diff) | |
download | gitlab-ce-65aafb9917fb8fd4d26ca096681ca29a9a6ddda2.tar.gz |
Merge branch 'ssrf' into 'security'
Protect server against SSRF in project import URLs
See merge request !2068
Diffstat (limited to 'spec/lib/gitlab/url_blocker_spec.rb')
-rw-r--r-- | spec/lib/gitlab/url_blocker_spec.rb | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/spec/lib/gitlab/url_blocker_spec.rb b/spec/lib/gitlab/url_blocker_spec.rb new file mode 100644 index 00000000000..a504d299307 --- /dev/null +++ b/spec/lib/gitlab/url_blocker_spec.rb @@ -0,0 +1,31 @@ +require 'spec_helper' + +describe Gitlab::UrlBlocker, lib: true do + describe '#blocked_url?' do + it 'allows imports from configured web host and port' do + import_url = "http://#{Gitlab.config.gitlab.host}:#{Gitlab.config.gitlab.port}/t.git" + expect(described_class.blocked_url?(import_url)).to be false + end + + it 'allows imports from configured SSH host and port' do + import_url = "http://#{Gitlab.config.gitlab_shell.ssh_host}:#{Gitlab.config.gitlab_shell.ssh_port}/t.git" + expect(described_class.blocked_url?(import_url)).to be false + end + + it 'returns true for bad localhost hostname' do + expect(described_class.blocked_url?('https://localhost:65535/foo/foo.git')).to be true + end + + it 'returns true for bad port' do + expect(described_class.blocked_url?('https://gitlab.com:25/foo/foo.git')).to be true + end + + it 'returns true for invalid URL' do + expect(described_class.blocked_url?('http://:8080')).to be true + end + + it 'returns false for legitimate URL' do + expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git')).to be false + end + end +end |