diff options
author | Francisco Javier López <fjlopez@gitlab.com> | 2019-07-02 18:38:23 +0200 |
---|---|---|
committer | Francisco Javier López <fjlopez@gitlab.com> | 2019-07-15 09:21:20 +0200 |
commit | f5c1cd489834e824c83f2ae909cd0dd41fb95dab (patch) | |
tree | bfbf073fae7b2a5dedb63118cc3865036a92c847 /spec/spec_helper.rb | |
parent | e674a9d97822553c930062b9c5f4d4a349d39c11 (diff) | |
download | gitlab-ce-f5c1cd489834e824c83f2ae909cd0dd41fb95dab.tar.gz |
Fix Server Side Request Forgery mitigation bypass
When we can't resolve the hostname or it is invalid, we shouldn't
even perform the request. This fix also fixes the problem the
SSRF rebinding attack.
We can't stub feature flags outside example blocks. Nevertheless,
there are some actions that calls the UrlBlocker, that are performed
outside example blocks, ie: `set` instruction.
That's why we have to use some signalign mechanism outside the scope
of the specs.
Diffstat (limited to 'spec/spec_helper.rb')
-rw-r--r-- | spec/spec_helper.rb | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 95e0d8858b9..089dbc09aa3 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -3,6 +3,7 @@ SimpleCovEnv.start! ENV["RAILS_ENV"] = 'test' ENV["IN_MEMORY_APPLICATION_SETTINGS"] = 'true' +ENV["RSPEC_ALLOW_INVALID_URLS"] = 'true' require File.expand_path('../config/environment', __dir__) require 'rspec/rails' |