Protect Gitlab::HTTP against DNS rebinding attack

Gitlab::HTTP now resolves the hostname only once, verifies the IP is not blocked, and then uses the same IP to perform the actual request, while passing the original hostname in the `Host` header and SSL SNI field.
author: Douwe Maan <douwe@selenight.nl> 2019-04-21 12:03:26 +0200
committer: Oswaldo Ferreira <oswaldo@gitlab.com> 2019-05-30 10:47:31 -0300
commit: a9bcddee4c2653cbf2254d893299393e3778e7df (patch)
tree: 0c81c5358bce244da7cf9f9f684234a7f4a2dfd0 /spec/services/submit_usage_ping_service_spec.rb
parent: 88241108c4d9807e5c312b11c910b3072bc6f120 (diff)
download: gitlab-ce-a9bcddee4c2653cbf2254d893299393e3778e7df.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/spec/services/submit_usage_ping_service_spec.rb b/spec/services/submit_usage_ping_service_spec.rb
index 78df9bf96bf..653f17a4324 100644
--- a/spec/services/submit_usage_ping_service_spec.rb
+++ b/spec/services/submit_usage_ping_service_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 describe SubmitUsagePingService do
+  include StubRequests
+
   context 'when usage ping is disabled' do
     before do
       stub_application_setting(usage_ping_enabled: false)
@@ -99,7 +101,7 @@ describe SubmitUsagePingService do
   end
 
   def stub_response(body)
-    stub_request(:post, 'https://version.gitlab.com/usage_data')
+    stub_full_request('https://version.gitlab.com/usage_data', method: :post)
       .to_return(
         headers: { 'Content-Type' => 'application/json' },
         body: body.to_json
author	Douwe Maan <douwe@selenight.nl>	2019-04-21 12:03:26 +0200
committer	Oswaldo Ferreira <oswaldo@gitlab.com>	2019-05-30 10:47:31 -0300
commit	a9bcddee4c2653cbf2254d893299393e3778e7df (patch)
tree	0c81c5358bce244da7cf9f9f684234a7f4a2dfd0 /spec/services/submit_usage_ping_service_spec.rb
parent	88241108c4d9807e5c312b11c910b3072bc6f120 (diff)
download	gitlab-ce-a9bcddee4c2653cbf2254d893299393e3778e7df.tar.gz