Merge branch 'sh-fix-hipchat-ssrf' into 'master'

[master] Prevent SSRF attacks in HipChat integration See merge request gitlab/gitlabhq!2530

Merge branch 'sh-fix-hipchat-ssrf' into 'master'
[master] Prevent SSRF attacks in HipChat integration See merge request gitlab/gitlabhq!2530
107351e0 · Jan Provaznik · a632452d · 215feb64 · 107351e0 · 107351e0
Commit 107351e0 authored Oct 29, 2018 by Jan Provaznik
3 changed files
--- a/changelogs/unreleased/sh-fix-hipchat-ssrf.yml
+++ b/changelogs/unreleased/sh-fix-hipchat-ssrf.yml
+---
+title: Prevent SSRF attacks in HipChat integration
+merge_request:
+author:
+type: security
--- a/config/initializers/hipchat_client_patch.rb
+++ b/config/initializers/hipchat_client_patch.rb
+# This monkey patches the HTTParty used in https://github.com/hipchat/hipchat-rb.
+module HipChat
+  class Client
+    connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
+  end
+
+  class Room
+    connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
+  end
+
+  class User
+    connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
+  end
+end
--- a/spec/models/project_services/hipchat_service_spec.rb
+++ b/spec/models/project_services/hipchat_service_spec.rb
@@ -387,4 +387,22 @@ describe HipchatService do
      end
    end
  end
+
+  context 'with UrlBlocker' do
+    let(:user)    { create(:user) }
+    let(:project) { create(:project, :repository) }
+    let(:hipchat) { described_class.new(project: project) }
+    let(:push_sample_data) { Gitlab::DataBuilder::Push.build_sample(project, user) }
+
+    describe '#execute' do
+      before do
+        hipchat.server = 'http://localhost:9123'
+      end
+
+      it 'raises UrlBlocker for localhost' do
+        expect(Gitlab::UrlBlocker).to receive(:validate!).and_call_original
+        expect { hipchat.execute(push_sample_data) }.to raise_error(Gitlab::HTTP::BlockedUrlError)
+      end
+    end
+  end
 end