diff options
Diffstat (limited to 'spec/lib/gitlab/url_blocker_spec.rb')
-rw-r--r-- | spec/lib/gitlab/url_blocker_spec.rb | 64 |
1 files changed, 60 insertions, 4 deletions
diff --git a/spec/lib/gitlab/url_blocker_spec.rb b/spec/lib/gitlab/url_blocker_spec.rb index 6d1d7e48326..6ce002ad70e 100644 --- a/spec/lib/gitlab/url_blocker_spec.rb +++ b/spec/lib/gitlab/url_blocker_spec.rb @@ -30,8 +30,12 @@ describe Gitlab::UrlBlocker do context 'when URI is internal' do let(:import_url) { 'http://localhost' } + before do + stub_dns(import_url, ip_address: '127.0.0.1') + end + it_behaves_like 'validates URI and hostname' do - let(:expected_uri) { 'http://[::1]' } + let(:expected_uri) { 'http://127.0.0.1' } let(:expected_hostname) { 'localhost' } end end @@ -347,6 +351,7 @@ describe Gitlab::UrlBlocker do end before do + allow(ApplicationSetting).to receive(:current).and_return(ApplicationSetting.new) stub_application_setting(outbound_local_requests_whitelist: whitelist) end @@ -384,9 +389,15 @@ describe Gitlab::UrlBlocker do it_behaves_like 'allows local requests', { allow_localhost: false, allow_local_network: false } it 'whitelists IP when dns_rebind_protection is disabled' do - stub_domain_resolv('example.com', '192.168.1.1') do - expect(described_class).not_to be_blocked_url("http://example.com", - url_blocker_attributes.merge(dns_rebind_protection: false)) + url = "http://example.com" + attrs = url_blocker_attributes.merge(dns_rebind_protection: false) + + stub_domain_resolv('example.com', '192.168.1.2') do + expect(described_class).not_to be_blocked_url(url, attrs) + end + + stub_domain_resolv('example.com', '192.168.1.3') do + expect(described_class).to be_blocked_url(url, attrs) end end end @@ -437,6 +448,51 @@ describe Gitlab::UrlBlocker do url_blocker_attributes) end end + + shared_examples 'dns rebinding checks' do + shared_examples 'whitelists the domain' do + let(:whitelist) { [domain] } + let(:url) { "http://#{domain}" } + + before do + stub_env('RSPEC_ALLOW_INVALID_URLS', 'false') + end + + it do + expect(described_class).not_to be_blocked_url(url, dns_rebind_protection: dns_rebind_value) + end + end + + context 'when dns_rebinding_setting is' do + context 'enabled' do + let(:dns_rebind_value) { true } + + it_behaves_like 'whitelists the domain' + end + + context 'disabled' do + let(:dns_rebind_value) { false } + + it_behaves_like 'whitelists the domain' + end + end + end + + context 'when the domain cannot be resolved' do + let(:domain) { 'foobar.x' } + + it_behaves_like 'dns rebinding checks' + end + + context 'when the domain can be resolved' do + let(:domain) { 'example.com' } + + before do + stub_dns(url, ip_address: '93.184.216.34') + end + + it_behaves_like 'dns rebinding checks' + end end context 'with ip ranges in whitelist' do |