diff options
-rw-r--r-- | changelogs/unreleased/security-fj-crlf-injection.yml | 5 | ||||
-rw-r--r-- | lib/gitlab/url_blocker.rb | 19 | ||||
-rw-r--r-- | spec/models/project_spec.rb | 115 | ||||
-rw-r--r-- | spec/support/shared_contexts/url_shared_context.rb | 17 | ||||
-rw-r--r-- | spec/validators/url_validator_spec.rb | 26 |
5 files changed, 128 insertions, 54 deletions
diff --git a/changelogs/unreleased/security-fj-crlf-injection.yml b/changelogs/unreleased/security-fj-crlf-injection.yml new file mode 100644 index 00000000000..861167b8a6e --- /dev/null +++ b/changelogs/unreleased/security-fj-crlf-injection.yml @@ -0,0 +1,5 @@ +--- +title: Fix CRLF vulnerability in Project hooks +merge_request: +author: +type: security diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb index 4b1b58d68d8..fa401abc6bb 100644 --- a/lib/gitlab/url_blocker.rb +++ b/lib/gitlab/url_blocker.rb @@ -10,11 +10,8 @@ module Gitlab def validate!(url, allow_localhost: false, allow_local_network: true, enforce_user: false, ports: [], protocols: []) return true if url.nil? - begin - uri = Addressable::URI.parse(url) - rescue Addressable::URI::InvalidURIError - raise BlockedUrlError, "URI is invalid" - end + # Param url can be a string, URI or Addressable::URI + uri = parse_url(url) # Allow imports from the GitLab instance itself but only from the configured ports return true if internal?(uri) @@ -49,6 +46,18 @@ module Gitlab private + def parse_url(url) + raise Addressable::URI::InvalidURIError if multiline?(url) + + Addressable::URI.parse(url) + rescue Addressable::URI::InvalidURIError, URI::InvalidURIError + raise BlockedUrlError, 'URI is invalid' + end + + def multiline?(url) + CGI.unescape(url.to_s) =~ /\n|\r/ + end + def validate_port!(port, ports) return if port.blank? # Only ports under 1024 are restricted diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index ca7d13ea5a4..e98c69e636a 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -218,76 +218,93 @@ describe Project do end end - it 'does not allow an invalid URI as import_url' do - project = build(:project, import_url: 'invalid://') + describe 'import_url' do + it 'does not allow an invalid URI as import_url' do + project = build(:project, import_url: 'invalid://') - expect(project).not_to be_valid - end + expect(project).not_to be_valid + end - it 'does allow a SSH URI as import_url for persisted projects' do - project = create(:project) - project.import_url = 'ssh://test@gitlab.com/project.git' + it 'does allow a SSH URI as import_url for persisted projects' do + project = create(:project) + project.import_url = 'ssh://test@gitlab.com/project.git' - expect(project).to be_valid - end + expect(project).to be_valid + end - it 'does not allow a SSH URI as import_url for new projects' do - project = build(:project, import_url: 'ssh://test@gitlab.com/project.git') + it 'does not allow a SSH URI as import_url for new projects' do + project = build(:project, import_url: 'ssh://test@gitlab.com/project.git') - expect(project).not_to be_valid - end + expect(project).not_to be_valid + end - it 'does allow a valid URI as import_url' do - project = build(:project, import_url: 'http://gitlab.com/project.git') + it 'does allow a valid URI as import_url' do + project = build(:project, import_url: 'http://gitlab.com/project.git') - expect(project).to be_valid - end + expect(project).to be_valid + end - it 'allows an empty URI' do - project = build(:project, import_url: '') + it 'allows an empty URI' do + project = build(:project, import_url: '') - expect(project).to be_valid - end + expect(project).to be_valid + end - it 'does not produce import data on an empty URI' do - project = build(:project, import_url: '') + it 'does not produce import data on an empty URI' do + project = build(:project, import_url: '') - expect(project.import_data).to be_nil - end + expect(project.import_data).to be_nil + end - it 'does not produce import data on an invalid URI' do - project = build(:project, import_url: 'test://') + it 'does not produce import data on an invalid URI' do + project = build(:project, import_url: 'test://') - expect(project.import_data).to be_nil - end + expect(project.import_data).to be_nil + end - it "does not allow import_url pointing to localhost" do - project = build(:project, import_url: 'http://localhost:9000/t.git') + it "does not allow import_url pointing to localhost" do + project = build(:project, import_url: 'http://localhost:9000/t.git') - expect(project).to be_invalid - expect(project.errors[:import_url].first).to include('Requests to localhost are not allowed') - end + expect(project).to be_invalid + expect(project.errors[:import_url].first).to include('Requests to localhost are not allowed') + end - it "does not allow import_url with invalid ports for new projects" do - project = build(:project, import_url: 'http://github.com:25/t.git') + it "does not allow import_url with invalid ports for new projects" do + project = build(:project, import_url: 'http://github.com:25/t.git') - expect(project).to be_invalid - expect(project.errors[:import_url].first).to include('Only allowed ports are 80, 443') - end + expect(project).to be_invalid + expect(project.errors[:import_url].first).to include('Only allowed ports are 80, 443') + end - it "does not allow import_url with invalid ports for persisted projects" do - project = create(:project) - project.import_url = 'http://github.com:25/t.git' + it "does not allow import_url with invalid ports for persisted projects" do + project = create(:project) + project.import_url = 'http://github.com:25/t.git' - expect(project).to be_invalid - expect(project.errors[:import_url].first).to include('Only allowed ports are 22, 80, 443') - end + expect(project).to be_invalid + expect(project.errors[:import_url].first).to include('Only allowed ports are 22, 80, 443') + end + + it "does not allow import_url with invalid user" do + project = build(:project, import_url: 'http://$user:password@github.com/t.git') + + expect(project).to be_invalid + expect(project.errors[:import_url].first).to include('Username needs to start with an alphanumeric character') + end - it "does not allow import_url with invalid user" do - project = build(:project, import_url: 'http://$user:password@github.com/t.git') + include_context 'invalid urls' - expect(project).to be_invalid - expect(project.errors[:import_url].first).to include('Username needs to start with an alphanumeric character') + it 'does not allow urls with CR or LF characters' do + project = build(:project) + + aggregate_failures do + urls_with_CRLF.each do |url| + project.import_url = url + + expect(project).not_to be_valid + expect(project.errors.full_messages.first).to match(/is blocked: URI is invalid/) + end + end + end end describe 'project pending deletion' do diff --git a/spec/support/shared_contexts/url_shared_context.rb b/spec/support/shared_contexts/url_shared_context.rb new file mode 100644 index 00000000000..1b1f67daac3 --- /dev/null +++ b/spec/support/shared_contexts/url_shared_context.rb @@ -0,0 +1,17 @@ +shared_context 'invalid urls' do + let(:urls_with_CRLF) do + ["http://127.0.0.1:333/pa\rth", + "http://127.0.0.1:333/pa\nth", + "http://127.0a.0.1:333/pa\r\nth", + "http://127.0.0.1:333/path?param=foo\r\nbar", + "http://127.0.0.1:333/path?param=foo\rbar", + "http://127.0.0.1:333/path?param=foo\nbar", + "http://127.0.0.1:333/pa%0dth", + "http://127.0.0.1:333/pa%0ath", + "http://127.0a.0.1:333/pa%0d%0th", + "http://127.0.0.1:333/pa%0D%0Ath", + "http://127.0.0.1:333/path?param=foo%0Abar", + "http://127.0.0.1:333/path?param=foo%0Dbar", + "http://127.0.0.1:333/path?param=foo%0D%0Abar"] + end +end diff --git a/spec/validators/url_validator_spec.rb b/spec/validators/url_validator_spec.rb index ab6100509a6..082d09d3f16 100644 --- a/spec/validators/url_validator_spec.rb +++ b/spec/validators/url_validator_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe UrlValidator do @@ -6,6 +8,30 @@ describe UrlValidator do include_examples 'url validator examples', described_class::DEFAULT_PROTOCOLS + describe 'validations' do + include_context 'invalid urls' + + let(:validator) { described_class.new(attributes: [:link_url]) } + + it 'returns error when url is nil' do + expect(validator.validate_each(badge, :link_url, nil)).to be_nil + expect(badge.errors.first[1]).to eq 'must be a valid URL' + end + + it 'returns error when url is empty' do + expect(validator.validate_each(badge, :link_url, '')).to be_nil + expect(badge.errors.first[1]).to eq 'must be a valid URL' + end + + it 'does not allow urls with CR or LF characters' do + aggregate_failures do + urls_with_CRLF.each do |url| + expect(validator.validate_each(badge, :link_url, url)[0]).to eq 'is blocked: URI is invalid' + end + end + end + end + context 'by default' do let(:validator) { described_class.new(attributes: [:link_url]) } |