Commit fef0f650 authored by Winnie Hellmann's avatar Winnie Hellmann Committed by Michael Kozono

Merge 10-1-stable into 10-1-stable-ee

parent c943ef46
...@@ -70,7 +70,10 @@ module API ...@@ -70,7 +70,10 @@ module API
mount ::API::V3::Github mount ::API::V3::Github
end end
before { header['X-Frame-Options'] = 'SAMEORIGIN' } before do
header['X-Frame-Options'] = 'SAMEORIGIN'
header['X-Content-Type-Options'] = 'nosniff'
end
# The locale is set to the current user's locale when `current_user` is loaded # The locale is set to the current user's locale when `current_user` is loaded
after { Gitlab::I18n.use_default_locale } after { Gitlab::I18n.use_default_locale }
......
...@@ -22,10 +22,12 @@ module Gitlab ...@@ -22,10 +22,12 @@ module Gitlab
return true if blocked_user_or_hostname?(uri.user) return true if blocked_user_or_hostname?(uri.user)
return true if blocked_user_or_hostname?(uri.hostname) return true if blocked_user_or_hostname?(uri.hostname)
server_ips = Resolv.getaddresses(uri.hostname) server_ips = Addrinfo.getaddrinfo(uri.hostname, 80, nil, :STREAM).map(&:ip_address)
return true if (blocked_ips & server_ips).any? return true if (blocked_ips & server_ips).any?
rescue Addressable::URI::InvalidURIError rescue Addressable::URI::InvalidURIError
return true return true
rescue SocketError
return false
end end
false false
......
...@@ -20,6 +20,22 @@ describe Gitlab::UrlBlocker do ...@@ -20,6 +20,22 @@ describe Gitlab::UrlBlocker do
expect(described_class.blocked_url?('https://gitlab.com:25/foo/foo.git')).to be true expect(described_class.blocked_url?('https://gitlab.com:25/foo/foo.git')).to be true
end end
it 'returns true for alternative version of 127.0.0.1 (0177.1)' do
expect(described_class.blocked_url?('https://0177.1:65535/foo/foo.git')).to be true
end
it 'returns true for alternative version of 127.0.0.1 (0x7f.1)' do
expect(described_class.blocked_url?('https://0x7f.1:65535/foo/foo.git')).to be true
end
it 'returns true for alternative version of 127.0.0.1 (2130706433)' do
expect(described_class.blocked_url?('https://2130706433:65535/foo/foo.git')).to be true
end
it 'returns true for alternative version of 127.0.0.1 (127.000.000.001)' do
expect(described_class.blocked_url?('https://127.000.000.001:65535/foo/foo.git')).to be true
end
it 'returns true for a non-alphanumeric hostname' do it 'returns true for a non-alphanumeric hostname' do
stub_resolv stub_resolv
......
...@@ -50,6 +50,12 @@ describe API::Projects do ...@@ -50,6 +50,12 @@ describe API::Projects do
expect(json_response).to be_an Array expect(json_response).to be_an Array
expect(json_response.map { |p| p['id'] }).to contain_exactly(*projects.map(&:id)) expect(json_response.map { |p| p['id'] }).to contain_exactly(*projects.map(&:id))
end end
it 'returns the proper security headers' do
get api('/projects', current_user), filter
expect(response).to include_security_headers
end
end end
shared_examples_for 'projects response without N + 1 queries' do shared_examples_for 'projects response without N + 1 queries' do
......
RSpec::Matchers.define :include_security_headers do |expected|
match do |actual|
expect(actual.headers).to include('X-Content-Type-Options')
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment