Commit 107351e0 authored by Jan Provaznik's avatar Jan Provaznik

Merge branch 'sh-fix-hipchat-ssrf' into 'master'

[master] Prevent SSRF attacks in HipChat integration

See merge request gitlab/gitlabhq!2530
parents a632452d 215feb64
---
title: Prevent SSRF attacks in HipChat integration
merge_request:
author:
type: security
# This monkey patches the HTTParty used in https://github.com/hipchat/hipchat-rb.
module HipChat
class Client
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
end
class Room
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
end
class User
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
end
end
...@@ -387,4 +387,22 @@ describe HipchatService do ...@@ -387,4 +387,22 @@ describe HipchatService do
end end
end end
end end
context 'with UrlBlocker' do
let(:user) { create(:user) }
let(:project) { create(:project, :repository) }
let(:hipchat) { described_class.new(project: project) }
let(:push_sample_data) { Gitlab::DataBuilder::Push.build_sample(project, user) }
describe '#execute' do
before do
hipchat.server = 'http://localhost:9123'
end
it 'raises UrlBlocker for localhost' do
expect(Gitlab::UrlBlocker).to receive(:validate!).and_call_original
expect { hipchat.execute(push_sample_data) }.to raise_error(Gitlab::HTTP::BlockedUrlError)
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment