From 537eb0bb2d4d8a2af9753850c4a85fc473b68d8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Francisco=20Javier=20L=C3=B3pez?= <fjlopez@gitlab.com>
Date: Thu, 5 Sep 2019 09:11:14 +0000
Subject: Avoid checking dns rebind protection in validation

---
 app/validators/addressable_url_validator.rb        |  8 ++++-
 .../fj-remove-dns-protection-when-validating.yml   |  5 +++
 spec/validators/addressable_url_validator_spec.rb  | 37 ++++++++++++++++++++++
 3 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/fj-remove-dns-protection-when-validating.yml

diff --git a/app/validators/addressable_url_validator.rb b/app/validators/addressable_url_validator.rb
index bb445499cee..f292730441c 100644
--- a/app/validators/addressable_url_validator.rb
+++ b/app/validators/addressable_url_validator.rb
@@ -42,6 +42,11 @@
 class AddressableUrlValidator < ActiveModel::EachValidator
   attr_reader :record
 
+  # By default, we avoid checking the dns rebinding protection
+  # when saving/updating a record. Sometimes, the url
+  # is not resolvable at that point, and some automated
+  # tasks that uses that url won't work.
+  # See https://gitlab.com/gitlab-org/gitlab-ce/issues/66723
   BLOCKER_VALIDATE_OPTIONS = {
     schemes: %w(http https),
     ports: [],
@@ -49,7 +54,8 @@ class AddressableUrlValidator < ActiveModel::EachValidator
     allow_local_network: true,
     ascii_only: false,
     enforce_user: false,
-    enforce_sanitization: false
+    enforce_sanitization: false,
+    dns_rebind_protection: false
   }.freeze
 
   DEFAULT_OPTIONS = BLOCKER_VALIDATE_OPTIONS.merge({
diff --git a/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml b/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml
new file mode 100644
index 00000000000..9c74f8d69c7
--- /dev/null
+++ b/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml
@@ -0,0 +1,5 @@
+---
+title: Avoid checking dns rebind protection when validating
+merge_request: 32577
+author:
+type: fixed
diff --git a/spec/validators/addressable_url_validator_spec.rb b/spec/validators/addressable_url_validator_spec.rb
index 387e84b2d04..6927a1f67a1 100644
--- a/spec/validators/addressable_url_validator_spec.rb
+++ b/spec/validators/addressable_url_validator_spec.rb
@@ -92,6 +92,15 @@ describe AddressableUrlValidator do
       expect(badge.errors).to be_empty
       expect(badge.link_url).to eq('https://127.0.0.1')
     end
+
+    it 'allows urls that cannot be resolved' do
+      stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
+      badge.link_url = 'http://foobar.x'
+
+      subject
+
+      expect(badge.errors).to be_empty
+    end
   end
 
   context 'when message is set' do
@@ -312,4 +321,32 @@ describe AddressableUrlValidator do
       end
     end
   end
+
+  context 'when dns_rebind_protection is' do
+    let(:not_resolvable_url) { 'http://foobar.x' }
+    let(:validator) { described_class.new(attributes: [:link_url], dns_rebind_protection: dns_value) }
+
+    before do
+      stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
+      badge.link_url = not_resolvable_url
+
+      subject
+    end
+
+    context 'true' do
+      let(:dns_value) { true }
+
+      it 'raises error' do
+        expect(badge.errors).to be_present
+      end
+    end
+
+    context 'false' do
+      let(:dns_value) { false }
+
+      it 'allows urls that cannot be resolved' do
+        expect(badge.errors).to be_empty
+      end
+    end
+  end
 end
-- 
cgit v1.2.1