root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Block link-local addresses in URLBlocker 

Closes https://gitlab.com/gitlab-com/migration/issues/766
This commit is contained in:
Stan Hu 2018-08-11 03:38:21 -07:00
parent 197a305b84
commit b3f7558750
3 changed files with 37 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
changelogs/unreleased/sh-block-link-local-master.yml Normal file
View File

@ -0,0 +1,5 @@
---
title: Block link-local addresses in URLBlocker
merge_request:
author:
type: security

8
lib/gitlab/url_blocker.rb
View File

@ -31,6 +31,7 @@ module Gitlab
validate_localhost!(addrs_info) unless allow_localhost validate_localhost!(addrs_info) unless allow_localhost
validate_local_network!(addrs_info) unless allow_local_network validate_local_network!(addrs_info) unless allow_local_network
validate_link_local!(addrs_info) unless allow_local_network
true true
end end
@ -89,6 +90,13 @@ module Gitlab
raise BlockedUrlError, "Requests to the local network are not allowed" raise BlockedUrlError, "Requests to the local network are not allowed"
end end
def validate_link_local!(addrs_info)
netmask = IPAddr.new('169.254.0.0/16')
return unless addrs_info.any? { |addr| addr.ipv6_linklocal? || netmask.include?(addr.ip_address) }
raise BlockedUrlError, "Requests to the link local network are not allowed"
end
def internal?(uri) def internal?(uri)
internal_web?(uri) || internal_shell?(uri) internal_web?(uri) || internal_shell?(uri)
end end

25
spec/lib/gitlab/url_blocker_spec.rb
View File

@ -1,3 +1,4 @@
# coding: utf-8
require 'spec_helper' require 'spec_helper'
describe Gitlab::UrlBlocker do describe Gitlab::UrlBlocker do
@ -82,6 +83,17 @@ describe Gitlab::UrlBlocker do
expect(described_class).not_to be_blocked_url("http://#{ip}") expect(described_class).not_to be_blocked_url("http://#{ip}")
end end
end end
it 'allows IPv4 link-local endpoints' do
expect(described_class).not_to be_blocked_url('http://169.254.169.254')
expect(described_class).not_to be_blocked_url('http://169.254.168.100')
end
# This is blocked due to the hostname check: https://gitlab.com/gitlab-org/gitlab-ce/issues/50227
it 'blocks IPv6 link-local endpoints' do
expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]')
expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]')
end
end end
context 'false' do context 'false' do
@ -96,10 +108,21 @@ describe Gitlab::UrlBlocker do
expect(described_class).to be_blocked_url("http://#{ip}", allow_local_network: false) expect(described_class).to be_blocked_url("http://#{ip}", allow_local_network: false)
end end
end end
it 'blocks IPv4 link-local endpoints' do
expect(described_class).to be_blocked_url('http://169.254.169.254', allow_local_network: false)
expect(described_class).to be_blocked_url('http://169.254.168.100', allow_local_network: false)
end
it 'blocks IPv6 link-local endpoints' do
expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]', allow_local_network: false)
expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]', allow_local_network: false)
expect(described_class).to be_blocked_url('http://[FE80::C800:EFF:FE74:8]', allow_local_network: false)
end
end end
def stub_domain_resolv(domain, ip) def stub_domain_resolv(domain, ip)
allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true)]) allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true, ipv6_link_local?: false)])
end end
def unstub_domain_resolv def unstub_domain_resolv