Commit 4e9c531a authored by Thong Kuah's avatar Thong Kuah

Merge branch 'fj-remove-dns-protection-when-validating' into 'master'

Avoid checking dns rebind protection in validation

Closes #66723

See merge request gitlab-org/gitlab-ce!32577
parents 8d93ec2e 537eb0bb
......@@ -42,6 +42,11 @@
class AddressableUrlValidator < ActiveModel::EachValidator
attr_reader :record
# By default, we avoid checking the dns rebinding protection
# when saving/updating a record. Sometimes, the url
# is not resolvable at that point, and some automated
# tasks that uses that url won't work.
# See https://gitlab.com/gitlab-org/gitlab-ce/issues/66723
BLOCKER_VALIDATE_OPTIONS = {
schemes: %w(http https),
ports: [],
......@@ -49,7 +54,8 @@ class AddressableUrlValidator < ActiveModel::EachValidator
allow_local_network: true,
ascii_only: false,
enforce_user: false,
enforce_sanitization: false
enforce_sanitization: false,
dns_rebind_protection: false
}.freeze
DEFAULT_OPTIONS = BLOCKER_VALIDATE_OPTIONS.merge({
......
---
title: Avoid checking dns rebind protection when validating
merge_request: 32577
author:
type: fixed
......@@ -92,6 +92,15 @@ describe AddressableUrlValidator do
expect(badge.errors).to be_empty
expect(badge.link_url).to eq('https://127.0.0.1')
end
it 'allows urls that cannot be resolved' do
stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
badge.link_url = 'http://foobar.x'
subject
expect(badge.errors).to be_empty
end
end
context 'when message is set' do
......@@ -312,4 +321,32 @@ describe AddressableUrlValidator do
end
end
end
context 'when dns_rebind_protection is' do
let(:not_resolvable_url) { 'http://foobar.x' }
let(:validator) { described_class.new(attributes: [:link_url], dns_rebind_protection: dns_value) }
before do
stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
badge.link_url = not_resolvable_url
subject
end
context 'true' do
let(:dns_value) { true }
it 'raises error' do
expect(badge.errors).to be_present
end
end
context 'false' do
let(:dns_value) { false }
it 'allows urls that cannot be resolved' do
expect(badge.errors).to be_empty
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment