921173681c
Add latest changes from gitlab-org/gitlab@master
2021-03-10 09:09:29 +00:00
75a4eaade0
Add latest changes from gitlab-org/gitlab@master
2021-02-17 12:09:26 +00:00
3c97422b09
Add latest changes from gitlab-org/gitlab@master
2021-02-17 06:09:21 +00:00
6986c1adc2
Add latest changes from gitlab-org/gitlab@master
2021-02-15 12:09:29 +00:00
00f4585755
Add latest changes from gitlab-org/gitlab@master
2021-02-03 09:09:07 +00:00
d8714cf67c
Add latest changes from gitlab-org/gitlab@master
2021-02-02 00:09:14 +00:00
a08f8baa63
Add latest changes from gitlab-org/gitlab@master
2020-11-10 12:08:57 +00:00
bdca097916
Add latest changes from gitlab-org/gitlab@master
2020-08-11 03:11:00 +00:00
c59765a50a
Add latest changes from gitlab-org/gitlab@master
2020-06-24 18:09:03 +00:00
78fe72d153
Add latest changes from gitlab-org/gitlab@master
2020-03-16 03:09:14 +00:00
7ebcead8cf
Add latest changes from gitlab-org/gitlab@master
2020-03-09 18:07:59 +00:00
167894d0e7
Add latest changes from gitlab-org/gitlab@master
2020-01-24 21:09:09 +00:00
1da3754b25
Add latest changes from gitlab-org/gitlab@master
2019-10-03 21:07:29 +00:00
bd860c22f6
Add latest changes from gitlab-org/gitlab@master
2019-09-17 12:06:48 +00:00
b7dfe2ae40
Add latest changes from gitlab-org/gitlab@master
2019-09-13 13:26:31 +00:00
b4ea71f9ed
Allow not resolvable urls when rebinding setting is disabled
...
Now, when the dns rebinging setting is disabled, we will
allow urls that are not resolvable.
2019-09-05 06:07:17 +00:00
8c42a0eac0
Add frozen_string_literal to lib part 2
...
Using the sed script from
https://gitlab.com/gitlab-org/gitlab-ce/issues/59758
2019-08-23 00:15:24 +12:00
fe22704a20
Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq
2019-07-29 13:19:50 -05:00
e5bdcfbc9b
[ADD] outbound requests whitelist
...
Signed-off-by: Istvan szalai <istvan.szalai@savoirfairelinux.com>
2019-07-24 17:59:38 +00:00
f5c1cd4898
Fix Server Side Request Forgery mitigation bypass
...
When we can't resolve the hostname or it is invalid, we shouldn't
even perform the request. This fix also fixes the problem the
SSRF rebinding attack.
We can't stub feature flags outside example blocks. Nevertheless,
there are some actions that calls the UrlBlocker, that are performed
outside example blocks, ie: `set` instruction.
That's why we have to use some signalign mechanism outside the scope
of the specs.
2019-07-15 09:21:20 +02:00
28c76fb551
Don't use bang method when there is no safe method
...
https://github.com/rubocop-hq/ruby-style-guide#dangerous-method-bang
2019-07-12 07:04:44 +00:00
a1a0f8e6b0
Add DNS rebinding protection settings
2019-05-30 10:47:57 -03:00
a9bcddee4c
Protect Gitlab::HTTP against DNS rebinding attack
...
Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
blocked, and then uses the same IP to perform the actual request, while
passing the original hostname in the `Host` header and SSL SNI field.
2019-05-30 10:47:31 -03:00
d119d3d1b2
Align UrlValidator to validate_url gem implementation.
...
Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.
2019-04-11 06:29:07 +00:00
72c0059407
Allow URLs to be validated as ascii_only
...
Restricts unicode characters and IDNA deviations
which could be used in a phishing attack
2018-12-06 15:18:18 +00:00
a9f5b22394
Merge branch 'security-11-5-fix-webhook-ssrf-ipv6' into 'security-11-5'
...
[11.5] Fix SSRF in project integrations
See merge request gitlab/gitlabhq!2611
2018-11-28 19:14:36 -05:00
4bc6f2e3ac
Merge branch 'security-stored-xss-for-environments' into 'master'
...
[master] Stored XSS for Environments
Closes #2727
See merge request gitlab/gitlabhq!2594
2018-11-28 19:07:29 -05:00
b1d04cf9d5
Block loopback addresses in UrlBlocker
...
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51128
2018-09-05 22:04:23 -07:00
b3f7558750
Block link-local addresses in URLBlocker
...
Closes https://gitlab.com/gitlab-com/migration/issues/766
2018-08-12 22:34:34 -07:00
1418afc2d6
Avoid checking the user format in every url validation
2018-06-11 13:29:37 +00:00
840f80d48b
Add validation to webhook and service URLs to ensure they are not blocked because of SSRF
2018-06-01 11:43:53 +00:00
b290d929bc
Rename allow_private_networks to allow_local_network
2018-04-02 17:24:19 +02:00
95ced3bb5f
Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'
...
Server Side Request Forgery in Services and Web Hooks
See merge request gitlab/gitlabhq!2337
2018-03-21 14:39:21 +00:00
89bd78352e
Merge branch 'ssrf-protections-round-2' into 'security-10-1'
...
Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
See merge request gitlab/gitlabhq!2219
(cherry picked from commit 4a1e73783d1bffa0c3
2017-11-08 20:11:08 -08:00
b296921681
Merge branch 'rs-alphanumeric-ssh-params' into 'security-9-4'
...
Ensure user and hostnames begin with an alnum character in UrlBlocker
See merge request !2138
2017-08-10 20:47:28 +01:00
ddccd24c13
Remove superfluous lib: true, type: redis, service: true, models: true, services: true, no_db: true, api: true
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-07-27 14:31:53 +02:00
65aafb9917
Merge branch 'ssrf' into 'security'
...
Protect server against SSRF in project import URLs
See merge request !2068
2017-03-20 18:53:04 -07:00
GitLab Bot
Francisco Javier López
Thong Kuah
Robert Speicher
Reuben Pereira
Oswaldo Ferreira
Douwe Maan
James Edwards-Jones
Steve Azzopardi
Cindy Pallares
Stan Hu
Douwe Maan
Rémy Coutable