From b599fb4f85b09d78d28ea5701eac7d28ceabbec7 Mon Sep 17 00:00:00 2001
From: Oswaldo Ferreira <oswaldo@gitlab.com>
Date: Wed, 29 May 2019 13:43:07 -0300
Subject: Add DNS rebinding protection settings

---
 app/helpers/application_settings_helper.rb               | 1 +
 app/models/application_setting_implementation.rb         | 1 +
 app/views/admin/application_settings/_outbound.html.haml | 8 ++++++++
 3 files changed, 10 insertions(+)

(limited to 'app')

diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index 971d1052824..4469118f065 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -160,6 +160,7 @@ module ApplicationSettingsHelper
       :akismet_api_key,
       :akismet_enabled,
       :allow_local_requests_from_hooks_and_services,
+      :dns_rebinding_protection_enabled,
       :archive_builds_in_human_readable,
       :authorized_keys_enabled,
       :auto_devops_enabled,
diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb
index e51619b0f9c..904d650ef96 100644
--- a/app/models/application_setting_implementation.rb
+++ b/app/models/application_setting_implementation.rb
@@ -21,6 +21,7 @@ module ApplicationSettingImplementation
         after_sign_up_text: nil,
         akismet_enabled: false,
         allow_local_requests_from_hooks_and_services: false,
+        dns_rebinding_protection_enabled: true,
         authorized_keys_enabled: true, # TODO default to false if the instance is configured to use AuthorizedKeysCommand
         container_registry_token_expire_delay: 5,
         default_artifacts_expire_in: '30 days',
diff --git a/app/views/admin/application_settings/_outbound.html.haml b/app/views/admin/application_settings/_outbound.html.haml
index f4bfb5af385..dd56bb99a06 100644
--- a/app/views/admin/application_settings/_outbound.html.haml
+++ b/app/views/admin/application_settings/_outbound.html.haml
@@ -8,4 +8,12 @@
         = f.label :allow_local_requests_from_hooks_and_services, class: 'form-check-label' do
           Allow requests to the local network from hooks and services
 
+    .form-group
+      .form-check
+        = f.check_box :dns_rebinding_protection_enabled, class: 'form-check-input'
+        = f.label :dns_rebinding_protection_enabled, class: 'form-check-label' do
+          = _('Enforce DNS rebinding attack protection')
+        %span.form-text.text-muted
+          = _('Resolves IP addresses once and uses them to submit requests')
+
   = f.submit 'Save changes', class: "btn btn-success"
-- 
cgit v1.2.1