Commit 4fe052ee authored by Stan Hu's avatar Stan Hu Committed by Mayra Cabrera

Prevent SSRF attacks in HipChat integration

This change monkey patches the HipChat client to use the GitLab HTTParty
connection adapter, which can block access to certain hosts.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51142
parent b958e271
---
title: Prevent SSRF attacks in HipChat integration
merge_request:
author:
type: security
# This monkey patches the HTTParty used in https://github.com/hipchat/hipchat-rb.
module HipChat
class Client
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
end
class Room
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
end
class User
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
end
end
...@@ -400,4 +400,22 @@ describe HipchatService do ...@@ -400,4 +400,22 @@ describe HipchatService do
end end
end end
end end
context 'with UrlBlocker' do
let(:user) { create(:user) }
let(:project) { create(:project, :repository) }
let(:hipchat) { described_class.new(project: project) }
let(:push_sample_data) { Gitlab::DataBuilder::Push.build_sample(project, user) }
describe '#execute' do
before do
hipchat.server = 'http://localhost:9123'
end
it 'raises UrlBlocker for localhost' do
expect(Gitlab::UrlBlocker).to receive(:validate!).and_call_original
expect { hipchat.execute(push_sample_data) }.to raise_error(Gitlab::HTTP::BlockedUrlError)
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment