Fix Server Side Request Forgery mitigation bypass

When we can't resolve the hostname or it is invalid, we shouldn't even perform the request. This fix also fixes the problem the SSRF rebinding attack. We can't stub feature flags outside example blocks. Nevertheless, there are some actions that calls the UrlBlocker, that are performed outside example blocks, ie: `set` instruction. That's why we have to use some signalign mechanism outside the scope of the specs.
author: Francisco Javier López <fjlopez@gitlab.com> 2019-07-02 18:38:23 +0200
committer: Francisco Javier López <fjlopez@gitlab.com> 2019-07-15 09:21:20 +0200
commit: f5c1cd489834e824c83f2ae909cd0dd41fb95dab (patch)
tree: bfbf073fae7b2a5dedb63118cc3865036a92c847 /spec/spec_helper.rb
parent: e674a9d97822553c930062b9c5f4d4a349d39c11 (diff)
download: gitlab-ce-f5c1cd489834e824c83f2ae909cd0dd41fb95dab.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 95e0d8858b9..089dbc09aa3 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -3,6 +3,7 @@ SimpleCovEnv.start!
 
 ENV["RAILS_ENV"] = 'test'
 ENV["IN_MEMORY_APPLICATION_SETTINGS"] = 'true'
+ENV["RSPEC_ALLOW_INVALID_URLS"] = 'true'
 
 require File.expand_path('../config/environment', __dir__)
 require 'rspec/rails'
author	Francisco Javier López <fjlopez@gitlab.com>	2019-07-02 18:38:23 +0200
committer	Francisco Javier López <fjlopez@gitlab.com>	2019-07-15 09:21:20 +0200
commit	f5c1cd489834e824c83f2ae909cd0dd41fb95dab (patch)
tree	bfbf073fae7b2a5dedb63118cc3865036a92c847 /spec/spec_helper.rb
parent	e674a9d97822553c930062b9c5f4d4a349d39c11 (diff)
download	gitlab-ce-f5c1cd489834e824c83f2ae909cd0dd41fb95dab.tar.gz