From 65aafb9917fb8fd4d26ca096681ca29a9a6ddda2 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Wed, 15 Mar 2017 20:09:08 +0000
Subject: Merge branch 'ssrf' into 'security'

Protect server against SSRF in project import URLs

See merge request !2068
---
 app/models/project.rb | 1 +
 1 file changed, 1 insertion(+)

(limited to 'app/models/project.rb')

diff --git a/app/models/project.rb b/app/models/project.rb
index 17cf8226bcc..4a3faff7d5b 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -196,6 +196,7 @@ class Project < ActiveRecord::Base
   validates :name, uniqueness: { scope: :namespace_id }
   validates :path, uniqueness: { scope: :namespace_id }
   validates :import_url, addressable_url: true, if: :external_import?
+  validates :import_url, importable_url: true, if: [:external_import?, :import_url_changed?]
   validates :star_count, numericality: { greater_than_or_equal_to: 0 }
   validate :check_limit, on: :create
   validate :avatar_type,
-- 
cgit v1.2.1