Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
02018e1a
Commit
02018e1a
authored
Jun 27, 2019
by
manojmj
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Do not allow localhost url redirection in GitHub Integration
parent
b85e6215
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
100 additions
and
3 deletions
+100
-3
changelogs/unreleased/security-github-ssrf-redirect.yml
changelogs/unreleased/security-github-ssrf-redirect.yml
+5
-0
config/initializers/octokit.rb
config/initializers/octokit.rb
+1
-0
lib/gitlab/github_import/client.rb
lib/gitlab/github_import/client.rb
+2
-2
lib/gitlab/legacy_github_import/client.rb
lib/gitlab/legacy_github_import/client.rb
+1
-1
lib/gitlab/octokit/middleware.rb
lib/gitlab/octokit/middleware.rb
+23
-0
spec/lib/gitlab/octokit/middleware_spec.rb
spec/lib/gitlab/octokit/middleware_spec.rb
+68
-0
No files found.
changelogs/unreleased/security-github-ssrf-redirect.yml
0 → 100644
View file @
02018e1a
---
title
:
Do not allow localhost url redirection in GitHub Integration
merge_request
:
author
:
type
:
security
config/initializers/octokit.rb
0 → 100644
View file @
02018e1a
Octokit
.
middleware
.
insert_after
Octokit
::
Middleware
::
FollowRedirects
,
Gitlab
::
Octokit
::
Middleware
lib/gitlab/github_import/client.rb
View file @
02018e1a
...
@@ -40,7 +40,7 @@ module Gitlab
...
@@ -40,7 +40,7 @@ module Gitlab
# otherwise hitting the rate limit will result in a thread
# otherwise hitting the rate limit will result in a thread
# being blocked in a `sleep()` call for up to an hour.
# being blocked in a `sleep()` call for up to an hour.
def
initialize
(
token
,
per_page:
100
,
parallel:
true
)
def
initialize
(
token
,
per_page:
100
,
parallel:
true
)
@octokit
=
Octokit
::
Client
.
new
(
@octokit
=
::
Octokit
::
Client
.
new
(
access_token:
token
,
access_token:
token
,
per_page:
per_page
,
per_page:
per_page
,
api_endpoint:
api_endpoint
api_endpoint:
api_endpoint
...
@@ -139,7 +139,7 @@ module Gitlab
...
@@ -139,7 +139,7 @@ module Gitlab
begin
begin
yield
yield
rescue
Octokit
::
TooManyRequests
rescue
::
Octokit
::
TooManyRequests
raise_or_wait_for_rate_limit
raise_or_wait_for_rate_limit
# This retry will only happen when running in sequential mode as we'll
# This retry will only happen when running in sequential mode as we'll
...
...
lib/gitlab/legacy_github_import/client.rb
View file @
02018e1a
...
@@ -101,7 +101,7 @@ module Gitlab
...
@@ -101,7 +101,7 @@ module Gitlab
# GitHub Rate Limit API returns 404 when the rate limit is
# GitHub Rate Limit API returns 404 when the rate limit is
# disabled. In this case we just want to return gracefully
# disabled. In this case we just want to return gracefully
# instead of spitting out an error.
# instead of spitting out an error.
rescue
Octokit
::
NotFound
rescue
::
Octokit
::
NotFound
nil
nil
end
end
...
...
lib/gitlab/octokit/middleware.rb
0 → 100644
View file @
02018e1a
# frozen_string_literal: true
module
Gitlab
module
Octokit
class
Middleware
def
initialize
(
app
)
@app
=
app
end
def
call
(
env
)
Gitlab
::
UrlBlocker
.
validate!
(
env
[
:url
],
{
allow_localhost:
allow_local_requests?
,
allow_local_network:
allow_local_requests?
})
@app
.
call
(
env
)
end
private
def
allow_local_requests?
Gitlab
::
CurrentSettings
.
allow_local_requests_from_hooks_and_services?
end
end
end
end
spec/lib/gitlab/octokit/middleware_spec.rb
0 → 100644
View file @
02018e1a
require
'spec_helper'
describe
Gitlab
::
Octokit
::
Middleware
do
let
(
:app
)
{
double
(
:app
)
}
let
(
:middleware
)
{
described_class
.
new
(
app
)
}
shared_examples
'Public URL'
do
it
'does not raise an error'
do
expect
(
app
).
to
receive
(
:call
).
with
(
env
)
expect
{
middleware
.
call
(
env
)
}.
not_to
raise_error
end
end
shared_examples
'Local URL'
do
it
'raises an error'
do
expect
{
middleware
.
call
(
env
)
}.
to
raise_error
(
Gitlab
::
UrlBlocker
::
BlockedUrlError
)
end
end
describe
'#call'
do
context
'when the URL is a public URL'
do
let
(
:env
)
{
{
url:
'https://public-url.com'
}
}
it_behaves_like
'Public URL'
end
context
'when the URL is a localhost adresss'
do
let
(
:env
)
{
{
url:
'http://127.0.0.1'
}
}
context
'when localhost requests are not allowed'
do
before
do
stub_application_setting
(
allow_local_requests_from_hooks_and_services:
false
)
end
it_behaves_like
'Local URL'
end
context
'when localhost requests are allowed'
do
before
do
stub_application_setting
(
allow_local_requests_from_hooks_and_services:
true
)
end
it_behaves_like
'Public URL'
end
end
context
'when the URL is a local network address'
do
let
(
:env
)
{
{
url:
'http://172.16.0.0'
}
}
context
'when local network requests are not allowed'
do
before
do
stub_application_setting
(
allow_local_requests_from_hooks_and_services:
false
)
end
it_behaves_like
'Local URL'
end
context
'when local network requests are allowed'
do
before
do
stub_application_setting
(
allow_local_requests_from_hooks_and_services:
true
)
end
it_behaves_like
'Public URL'
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment