Do not allow local urls in Kubernetes form

Use existing `public_url` validation to block various local urls. Note that this validation will allow local urls if the "Allow requests to the local network from hooks and services" admin setting is enabled. Block KubeClient from using local addresses It will also respect `allow_local_requests_from_hooks_and_services` so if that is enabled KubeClinet will allow local addresses
author: Thong Kuah <tkuah@gitlab.com> 2019-02-13 09:46:59 +1300
committer: Thong Kuah <tkuah@gitlab.com> 2019-02-21 23:32:12 +1300
commit: b28592a8bb7d945a899141989598e6c41777462f (patch)
tree: 8052ca88b0af00a200d1a11bac593af2d38cbebd /spec
parent: c46c62c51316da73724848b5f0dcb5aba82475e2 (diff)
download: gitlab-ce-b28592a8bb7d945a899141989598e6c41777462f.tar.gz
2 files changed, 46 insertions, 0 deletions
diff --git a/spec/lib/gitlab/kubernetes/kube_client_spec.rb b/spec/lib/gitlab/kubernetes/kube_client_spec.rb
index 8fc85301304..59dbb903734 100644
--- a/spec/lib/gitlab/kubernetes/kube_client_spec.rb
+++ b/spec/lib/gitlab/kubernetes/kube_client_spec.rb
@@ -24,6 +24,36 @@ describe Gitlab::Kubernetes::KubeClient do
     end
   end
 
+  describe '#initialize' do
+    shared_examples 'local address' do
+      it 'blocks local addresses' do
+        expect { client }.to raise_error(Gitlab::UrlBlocker::BlockedUrlError)
+      end
+
+      context 'when local requests are allowed' do
+        before do
+          stub_application_setting(allow_local_requests_from_hooks_and_services: true)
+        end
+
+        it 'allows local addresses' do
+          expect { client }.not_to raise_error
+        end
+      end
+    end
+
+    context 'localhost address' do
+      let(:api_url) { 'http://localhost:22' }
+
+      it_behaves_like 'local address'
+    end
+
+    context 'private network address' do
+      let(:api_url) { 'http://192.168.1.2:3003' }
+
+      it_behaves_like 'local address'
+    end
+  end
+
   describe '#core_client' do
     subject { client.core_client }
 
diff --git a/spec/models/clusters/platforms/kubernetes_spec.rb b/spec/models/clusters/platforms/kubernetes_spec.rb
index b30f80a4b3e..c2ad0076e2d 100644
--- a/spec/models/clusters/platforms/kubernetes_spec.rb
+++ b/spec/models/clusters/platforms/kubernetes_spec.rb
@@ -98,6 +98,22 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
 
         it { expect(kubernetes.save).to be_truthy }
       end
+
+      context 'when api_url is localhost' do
+        let(:api_url) { 'http://localhost:22' }
+
+        it { expect(kubernetes.save).to be_falsey }
+
+        context 'Application settings allows local requests' do
+          before do
+            allow(ApplicationSetting)
+              .to receive(:current)
+              .and_return(ApplicationSetting.build_from_defaults(allow_local_requests_from_hooks_and_services: true))
+          end
+
+          it { expect(kubernetes.save).to be_truthy }
+        end
+      end
     end
 
     context 'when validates token' do
author	Thong Kuah <tkuah@gitlab.com>	2019-02-13 09:46:59 +1300
committer	Thong Kuah <tkuah@gitlab.com>	2019-02-21 23:32:12 +1300
commit	b28592a8bb7d945a899141989598e6c41777462f (patch)
tree	8052ca88b0af00a200d1a11bac593af2d38cbebd /spec
parent	c46c62c51316da73724848b5f0dcb5aba82475e2 (diff)
download	gitlab-ce-b28592a8bb7d945a899141989598e6c41777462f.tar.gz