Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
fef0f650
Commit
fef0f650
authored
Nov 07, 2017
by
Winnie Hellmann
Committed by
Michael Kozono
Nov 08, 2017
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Merge 10-1-stable into 10-1-stable-ee
parent
c943ef46
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
34 additions
and
2 deletions
+34
-2
lib/api/api.rb
lib/api/api.rb
+4
-1
lib/gitlab/url_blocker.rb
lib/gitlab/url_blocker.rb
+3
-1
spec/lib/gitlab/url_blocker_spec.rb
spec/lib/gitlab/url_blocker_spec.rb
+16
-0
spec/requests/api/projects_spec.rb
spec/requests/api/projects_spec.rb
+6
-0
spec/support/matchers/security_header_matcher.rb
spec/support/matchers/security_header_matcher.rb
+5
-0
No files found.
lib/api/api.rb
View file @
fef0f650
...
@@ -70,7 +70,10 @@ module API
...
@@ -70,7 +70,10 @@ module API
mount
::
API
::
V3
::
Github
mount
::
API
::
V3
::
Github
end
end
before
{
header
[
'X-Frame-Options'
]
=
'SAMEORIGIN'
}
before
do
header
[
'X-Frame-Options'
]
=
'SAMEORIGIN'
header
[
'X-Content-Type-Options'
]
=
'nosniff'
end
# The locale is set to the current user's locale when `current_user` is loaded
# The locale is set to the current user's locale when `current_user` is loaded
after
{
Gitlab
::
I18n
.
use_default_locale
}
after
{
Gitlab
::
I18n
.
use_default_locale
}
...
...
lib/gitlab/url_blocker.rb
View file @
fef0f650
...
@@ -22,10 +22,12 @@ module Gitlab
...
@@ -22,10 +22,12 @@ module Gitlab
return
true
if
blocked_user_or_hostname?
(
uri
.
user
)
return
true
if
blocked_user_or_hostname?
(
uri
.
user
)
return
true
if
blocked_user_or_hostname?
(
uri
.
hostname
)
return
true
if
blocked_user_or_hostname?
(
uri
.
hostname
)
server_ips
=
Resolv
.
getaddresses
(
uri
.
hostname
)
server_ips
=
Addrinfo
.
getaddrinfo
(
uri
.
hostname
,
80
,
nil
,
:STREAM
).
map
(
&
:ip_address
)
return
true
if
(
blocked_ips
&
server_ips
).
any?
return
true
if
(
blocked_ips
&
server_ips
).
any?
rescue
Addressable
::
URI
::
InvalidURIError
rescue
Addressable
::
URI
::
InvalidURIError
return
true
return
true
rescue
SocketError
return
false
end
end
false
false
...
...
spec/lib/gitlab/url_blocker_spec.rb
View file @
fef0f650
...
@@ -20,6 +20,22 @@ describe Gitlab::UrlBlocker do
...
@@ -20,6 +20,22 @@ describe Gitlab::UrlBlocker do
expect
(
described_class
.
blocked_url?
(
'https://gitlab.com:25/foo/foo.git'
)).
to
be
true
expect
(
described_class
.
blocked_url?
(
'https://gitlab.com:25/foo/foo.git'
)).
to
be
true
end
end
it
'returns true for alternative version of 127.0.0.1 (0177.1)'
do
expect
(
described_class
.
blocked_url?
(
'https://0177.1:65535/foo/foo.git'
)).
to
be
true
end
it
'returns true for alternative version of 127.0.0.1 (0x7f.1)'
do
expect
(
described_class
.
blocked_url?
(
'https://0x7f.1:65535/foo/foo.git'
)).
to
be
true
end
it
'returns true for alternative version of 127.0.0.1 (2130706433)'
do
expect
(
described_class
.
blocked_url?
(
'https://2130706433:65535/foo/foo.git'
)).
to
be
true
end
it
'returns true for alternative version of 127.0.0.1 (127.000.000.001)'
do
expect
(
described_class
.
blocked_url?
(
'https://127.000.000.001:65535/foo/foo.git'
)).
to
be
true
end
it
'returns true for a non-alphanumeric hostname'
do
it
'returns true for a non-alphanumeric hostname'
do
stub_resolv
stub_resolv
...
...
spec/requests/api/projects_spec.rb
View file @
fef0f650
...
@@ -50,6 +50,12 @@ describe API::Projects do
...
@@ -50,6 +50,12 @@ describe API::Projects do
expect
(
json_response
).
to
be_an
Array
expect
(
json_response
).
to
be_an
Array
expect
(
json_response
.
map
{
|
p
|
p
[
'id'
]
}).
to
contain_exactly
(
*
projects
.
map
(
&
:id
))
expect
(
json_response
.
map
{
|
p
|
p
[
'id'
]
}).
to
contain_exactly
(
*
projects
.
map
(
&
:id
))
end
end
it
'returns the proper security headers'
do
get
api
(
'/projects'
,
current_user
),
filter
expect
(
response
).
to
include_security_headers
end
end
end
shared_examples_for
'projects response without N + 1 queries'
do
shared_examples_for
'projects response without N + 1 queries'
do
...
...
spec/support/matchers/security_header_matcher.rb
0 → 100644
View file @
fef0f650
RSpec
::
Matchers
.
define
:include_security_headers
do
|
expected
|
match
do
|
actual
|
expect
(
actual
.
headers
).
to
include
(
'X-Content-Type-Options'
)
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment