diff options
author | Douwe Maan <douwe@gitlab.com> | 2017-03-15 20:09:08 +0000 |
---|---|---|
committer | DJ Mountney <david@twkie.net> | 2017-03-20 18:53:04 -0700 |
commit | 65aafb9917fb8fd4d26ca096681ca29a9a6ddda2 (patch) | |
tree | ea67256a897d4b1b8921d6b68652f8a5f0e948ab /spec/services | |
parent | c5a9d73ad8a141166d871e551027208014a281c0 (diff) | |
download | gitlab-ce-65aafb9917fb8fd4d26ca096681ca29a9a6ddda2.tar.gz |
Merge branch 'ssrf' into 'security'
Protect server against SSRF in project import URLs
See merge request !2068
Diffstat (limited to 'spec/services')
-rw-r--r-- | spec/services/projects/import_service_spec.rb | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/spec/services/projects/import_service_spec.rb b/spec/services/projects/import_service_spec.rb index ab6e8f537ba..e5917bb0b7a 100644 --- a/spec/services/projects/import_service_spec.rb +++ b/spec/services/projects/import_service_spec.rb @@ -120,6 +120,26 @@ describe Projects::ImportService, services: true do end end + context 'with blocked import_URL' do + it 'fails with localhost' do + project.import_url = 'https://localhost:9000/vim/vim.git' + + result = described_class.new(project, user).execute + + expect(result[:status]).to eq :error + expect(result[:message]).to end_with 'Blocked import URL.' + end + + it 'fails with port 25' do + project.import_url = "https://github.com:25/vim/vim.git" + + result = described_class.new(project, user).execute + + expect(result[:status]).to eq :error + expect(result[:message]).to end_with 'Blocked import URL.' + end + end + def stub_github_omniauth_provider provider = OpenStruct.new( 'name' => 'github', |