summaryrefslogtreecommitdiff
path: root/lib/gitlab/url_blocker.rb
Commit message (Collapse)AuthorAgeFilesLines
* Add latest changes from gitlab-org/gitlab@masterGitLab Bot2020-03-311-2/+2
|
* Add latest changes from gitlab-org/gitlab@masterGitLab Bot2020-03-161-4/+4
|
* Add latest changes from gitlab-org/gitlab@masterGitLab Bot2019-10-031-0/+5
|
* Add latest changes from gitlab-org/gitlab@masterGitLab Bot2019-09-131-30/+18
|
* Allow not resolvable urls when rebinding setting is disabledFrancisco Javier López2019-09-051-2/+6
| | | | | Now, when the dns rebinging setting is disabled, we will allow urls that are not resolvable.
* Fix broken master because of security mergeFrancisco Javier López2019-07-291-5/+2
|
* Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhqRobert Speicher2019-07-291-2/+14
|\
| * Fix Server Side Request Forgery mitigation bypassFrancisco Javier López2019-07-151-2/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | When we can't resolve the hostname or it is invalid, we shouldn't even perform the request. This fix also fixes the problem the SSRF rebinding attack. We can't stub feature flags outside example blocks. Nevertheless, there are some actions that calls the UrlBlocker, that are performed outside example blocks, ie: `set` instruction. That's why we have to use some signalign mechanism outside the scope of the specs.
* | [ADD] outbound requests whitelistReuben Pereira2019-07-241-6/+30
|/ | | | Signed-off-by: Istvan szalai <istvan.szalai@savoirfairelinux.com>
* Don't use bang method when there is no safe methodReuben Pereira2019-07-121-33/+59
| | | | https://github.com/rubocop-hq/ruby-style-guide#dangerous-method-bang
* Add DNS rebinding protection settingsOswaldo Ferreira2019-05-301-10/+24
|
* Protect Gitlab::HTTP against DNS rebinding attackDouwe Maan2019-05-301-13/+48
| | | | | | Gitlab::HTTP now resolves the hostname only once, verifies the IP is not blocked, and then uses the same IP to perform the actual request, while passing the original hostname in the `Host` header and SSL SNI field.
* Align UrlValidator to validate_url gem implementation.Thong Kuah2019-04-111-5/+5
| | | | | | | Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement. Make use of the options attribute of the parent class ActiveModel::EachValidator. Add more options: allow_nil, allow_blank, message. Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.
* Add table and model for error tracking settingsReuben Pereira2019-01-071-2/+16
|
* Allow URLs to be validated as ascii_onlyJames Edwards-Jones2018-12-061-1/+8
| | | | | Restricts unicode characters and IDNA deviations which could be used in a phishing attack
* Merge branch 'security-11-5-fix-webhook-ssrf-ipv6' into 'security-11-5'Steve Azzopardi2018-11-281-4/+8
| | | | | [11.5] Fix SSRF in project integrations See merge request gitlab/gitlabhq!2611
* Merge branch 'security-fj-crlf-injection' into 'master'Cindy Pallares2018-11-281-5/+14
| | | | | [master] Fix CRLF issue in UrlValidator See merge request gitlab/gitlabhq!2627
* Merge branch 'security-stored-xss-for-environments' into 'master'Cindy Pallares2018-11-281-2/+4
| | | | | | | [master] Stored XSS for Environments Closes #2727 See merge request gitlab/gitlabhq!2594
* Merge branch 'sh-block-other-localhost' into 'master'Thiago Presa2018-10-251-0/+7
|\ | | | | | | | | Block additional localhost addresses in UrlBlocker See merge request gitlab/gitlabhq!2487
| * Block loopback addresses in UrlBlockerStan Hu2018-09-051-0/+7
| | | | | | | | Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51128
* | Enable frozen string for lib/gitlab/*.rbgfyoung2018-10-221-0/+2
|/
* Block link-local addresses in URLBlockerStan Hu2018-08-121-0/+8
| | | | Closes https://gitlab.com/gitlab-com/migration/issues/766
* Avoid checking the user format in every url validationFrancisco Javier López2018-06-111-2/+2
|
* Add validation to webhook and service URLs to ensure they are not blocked ↵Francisco Javier López2018-06-011-5/+12
| | | | because of SSRF
* Rename allow_private_networks to allow_local_networkDouwe Maan2018-04-021-2/+2
|
* Make error messages even more descriptiveDouwe Maan2018-04-021-33/+47
|
* Raise more descriptive errors when URLs are blockedDouwe Maan2018-04-021-14/+32
|
* Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'Douwe Maan2018-03-211-10/+13
| | | | | Server Side Request Forgery in Services and Web Hooks See merge request gitlab/gitlabhq!2337
* Merge branch 'ssrf-protections-round-2' into 'security-10-1'Douwe Maan2017-11-081-1/+3
| | | | | | | | | Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions See merge request gitlab/gitlabhq!2219 (cherry picked from commit 4a1e73783d5480aa514db7b53e10c075f95580b5) 1bffa0c3 Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
* Merge branch 'rs-alphanumeric-ssh-params' into 'security-9-4'jej/security-release-2017-08-10James Edwards-Jones2017-08-101-0/+8
| | | | | Ensure user and hostnames begin with an alnum character in UrlBlocker See merge request !2138
* Merge branch 'ssrf' into 'security' Rubén Dávila2017-03-201-0/+2
| | | | | nil check for url_blocker? See merge request !2076
* Merge branch 'ssrf' into 'security' Douwe Maan2017-03-201-0/+57
Protect server against SSRF in project import URLs See merge request !2068
View Lorry Controller Status