diff options
| -rw-r--r-- | app/validators/importable_url_validator.rb | 8 | ||||
| -rw-r--r-- | lib/gitlab/proxy_http_connection_adapter.rb | 2 | ||||
| -rw-r--r-- | lib/gitlab/url_blocker.rb | 4 | ||||
| -rw-r--r-- | spec/lib/gitlab/url_blocker_spec.rb | 12 |
4 files changed, 12 insertions, 14 deletions
diff --git a/app/validators/importable_url_validator.rb b/app/validators/importable_url_validator.rb index cafb43e69a2..612d3c71913 100644 --- a/app/validators/importable_url_validator.rb +++ b/app/validators/importable_url_validator.rb @@ -4,10 +4,8 @@ # protect against Server-side Request Forgery (SSRF). class ImportableUrlValidator < ActiveModel::EachValidator def validate_each(record, attribute, value) - begin - Gitlab::UrlBlocker.validate!(value, valid_ports: Project::VALID_IMPORT_PORTS) - rescue Gitlab::UrlBlocker::BlockedUrlError => e - record.errors.add(attribute, "is blocked: #{e.message}") - end + Gitlab::UrlBlocker.validate!(value, valid_ports: Project::VALID_IMPORT_PORTS) + rescue Gitlab::UrlBlocker::BlockedUrlError => e + record.errors.add(attribute, "is blocked: #{e.message}") end end diff --git a/lib/gitlab/proxy_http_connection_adapter.rb b/lib/gitlab/proxy_http_connection_adapter.rb index 65ea8c22309..d682289b632 100644 --- a/lib/gitlab/proxy_http_connection_adapter.rb +++ b/lib/gitlab/proxy_http_connection_adapter.rb @@ -12,7 +12,7 @@ module Gitlab def connection unless allow_local_requests? begin - Gitlab::UrlBlocker.validate!(uri, allow_private_networks: false) + Gitlab::UrlBlocker.validate!(uri, allow_local_network: false) rescue Gitlab::UrlBlocker::BlockedUrlError => e raise Gitlab::HTTP::BlockedUrlError, "URL '#{uri}' is blocked: #{e.message}" end diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb index f2c97791b9d..db97f65bd54 100644 --- a/lib/gitlab/url_blocker.rb +++ b/lib/gitlab/url_blocker.rb @@ -5,7 +5,7 @@ module Gitlab BlockedUrlError = Class.new(StandardError) class << self - def validate!(url, allow_localhost: false, allow_private_networks: true, valid_ports: []) + def validate!(url, allow_localhost: false, allow_local_network: true, valid_ports: []) return true if url.nil? begin @@ -29,7 +29,7 @@ module Gitlab end validate_localhost!(addrs_info) unless allow_localhost - validate_local_network!(addrs_info) unless allow_private_networks + validate_local_network!(addrs_info) unless allow_local_network true end diff --git a/spec/lib/gitlab/url_blocker_spec.rb b/spec/lib/gitlab/url_blocker_spec.rb index 2d35b026485..a3b3dc3be6d 100644 --- a/spec/lib/gitlab/url_blocker_spec.rb +++ b/spec/lib/gitlab/url_blocker_spec.rb @@ -74,13 +74,13 @@ describe Gitlab::UrlBlocker do expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git')).to be false end - context 'when allow_private_networks is' do - let(:private_networks) { ['192.168.1.2', '10.0.0.2', '172.16.0.2'] } + context 'when allow_local_network is' do + let(:local_ips) { ['192.168.1.2', '10.0.0.2', '172.16.0.2'] } let(:fake_domain) { 'www.fakedomain.fake' } context 'true (default)' do it 'does not block urls from private networks' do - private_networks.each do |ip| + local_ips.each do |ip| stub_domain_resolv(fake_domain, ip) expect(described_class).not_to be_blocked_url("http://#{fake_domain}") @@ -94,14 +94,14 @@ describe Gitlab::UrlBlocker do context 'false' do it 'blocks urls from private networks' do - private_networks.each do |ip| + local_ips.each do |ip| stub_domain_resolv(fake_domain, ip) - expect(described_class).to be_blocked_url("http://#{fake_domain}", allow_private_networks: false) + expect(described_class).to be_blocked_url("http://#{fake_domain}", allow_local_network: false) unstub_domain_resolv - expect(described_class).to be_blocked_url("http://#{ip}", allow_private_networks: false) + expect(described_class).to be_blocked_url("http://#{ip}", allow_local_network: false) end end end |