Merge branch 'security-badge-camo' into 'master'

Run badge images through asset proxy

Closes #33

See merge request gitlab-org/security/gitlab!232

app/models/badge.rb

@@ -32,7 +32,9 @@ class Badge < ApplicationRecord
   end
 
   def rendered_image_url(project = nil)
-    build_rendered_url(image_url, project)
+    Gitlab::AssetProxy.proxy_url(
+      build_rendered_url(image_url, project)
+    )
   end
 
   private

changelogs/unreleased/security-badge-camo.yml

+---
+title: Run project badge images through the asset proxy
+merge_request:
+author:
+type: security

lib/gitlab/asset_proxy.rb

+# frozen_string_literal: true
+
+# This is based on https://github.com/jch/html-pipeline/blob/v2.12.2/lib/html/pipeline/camo_filter.rb
+# and Banzai::Filter::AssetProxyFilter which we use to proxy images in Markdown
+
+module Gitlab
+  module AssetProxy
+    class << self
+      def proxy_url(url)
+        return url unless Gitlab.config.asset_proxy.enabled
+        return url if asset_host_whitelisted?(url)
+
+        "#{Gitlab.config.asset_proxy.url}/#{asset_url_hash(url)}/#{hexencode(url)}"
+      end
+
+      private
+
+      def asset_host_whitelisted?(url)
+        parsed_url = URI.parse(url)
+
+        Gitlab.config.asset_proxy.domain_regexp&.match?(parsed_url.host)
+      end
+
+      def asset_url_hash(url)
+        OpenSSL::HMAC.hexdigest('sha1', Gitlab.config.asset_proxy.secret_key, url)
+      end
+
+      def hexencode(str)
+        str.unpack1('H*')
+      end
+    end
+  end
+end

spec/lib/gitlab/asset_proxy_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::AssetProxy do
+  context 'when asset proxy is disabled' do
+    before do
+      stub_asset_proxy_setting(enabled: false)
+    end
+
+    it 'returns the original URL' do
+      url = 'http://example.com/test.png'
+
+      expect(described_class.proxy_url(url)).to eq(url)
+    end
+  end
+
+  context 'when asset proxy is enabled' do
+    before do
+      stub_asset_proxy_setting(whitelist: %w(gitlab.com *.mydomain.com))
+      stub_asset_proxy_setting(
+        enabled: true,
+        url: 'https://assets.example.com',
+        secret_key: 'shared-secret',
+        domain_regexp: Banzai::Filter::AssetProxyFilter.compile_whitelist(Gitlab.config.asset_proxy.whitelist)
+      )
+    end
+
+    it 'returns a proxied URL' do
+      url = 'http://example.com/test.png'
+      proxied_url = 'https://assets.example.com/08df250eeeef1a8cf2c761475ac74c5065105612/687474703a2f2f6578616d706c652e636f6d2f746573742e706e67'
+
+      expect(described_class.proxy_url(url)).to eq(proxied_url)
+    end
+
+    context 'whitelisted domain' do
+      it 'returns original URL for single domain whitelist' do
+        url = 'http://gitlab.com/test.png'
+
+        expect(described_class.proxy_url(url)).to eq(url)
+      end
+
+      it 'returns original URL for wildcard subdomain whitelist' do
+        url = 'http://test.mydomain.com/test.png'
+
+        expect(described_class.proxy_url(url)).to eq(url)
+      end
+    end
+  end
+end

spec/models/badge_spec.rb

@@ -91,6 +91,22 @@ describe Badge do
       let(:method) { :image_url }
 
       it_behaves_like 'rendered_links'
+
+      context 'when asset proxy is enabled' do
+        let(:placeholder_url) { 'http://www.example.com/image' }
+
+        before do
+          stub_asset_proxy_setting(
+            enabled: true,
+            url: 'https://assets.example.com',
+            secret_key: 'shared-secret'
+          )
+        end
+
+        it 'returns a proxied URL' do
+          expect(badge.rendered_image_url).to start_with('https://assets.example.com')
+        end
+      end
     end
   end
 end