Prevent SSRF attacks in HipChat integration

This change monkey patches the HipChat client to use the GitLab HTTParty
connection adapter, which can block access to certain hosts.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51142

changelogs/unreleased/sh-fix-hipchat-ssrf.yml

+---
+title: Prevent SSRF attacks in HipChat integration
+merge_request:
+author:
+type: security

config/initializers/hipchat_client_patch.rb

+# This monkey patches the HTTParty used in https://github.com/hipchat/hipchat-rb.
+module HipChat
+  class Client
+    connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
+  end
+
+  class Room
+    connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
+  end
+
+  class User
+    connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
+  end
+end

spec/models/project_services/hipchat_service_spec.rb

@@ -387,4 +387,22 @@ describe HipchatService do
       end
     end
   end
+
+  context 'with UrlBlocker' do
+    let(:user)    { create(:user) }
+    let(:project) { create(:project, :repository) }
+    let(:hipchat) { described_class.new(project: project) }
+    let(:push_sample_data) { Gitlab::DataBuilder::Push.build_sample(project, user) }
+
+    describe '#execute' do
+      before do
+        hipchat.server = 'http://localhost:9123'
+      end
+
+      it 'raises UrlBlocker for localhost' do
+        expect(Gitlab::UrlBlocker).to receive(:validate!).and_call_original
+        expect { hipchat.execute(push_sample_data) }.to raise_error(Gitlab::HTTP::BlockedUrlError)
+      end
+    end
+  end
 end