75a4eaade0
Add latest changes from gitlab-org/gitlab@master
2021-02-17 12:09:26 +00:00
6986c1adc2
Add latest changes from gitlab-org/gitlab@master
2021-02-15 12:09:29 +00:00
d8714cf67c
Add latest changes from gitlab-org/gitlab@master
2021-02-02 00:09:14 +00:00
a08f8baa63
Add latest changes from gitlab-org/gitlab@master
2020-11-10 12:08:57 +00:00
4bc1e04a7a
Add latest changes from gitlab-org/gitlab@master
2020-10-29 06:08:45 +00:00
eb004dc626
Add latest changes from gitlab-org/gitlab@master
2020-10-27 12:08:33 +00:00
580622bdb3
Add latest changes from gitlab-org/gitlab@master
2020-03-31 18:07:42 +00:00
78fe72d153
Add latest changes from gitlab-org/gitlab@master
2020-03-16 03:09:14 +00:00
1da3754b25
Add latest changes from gitlab-org/gitlab@master
2019-10-03 21:07:29 +00:00
b7dfe2ae40
Add latest changes from gitlab-org/gitlab@master
2019-09-13 13:26:31 +00:00
b4ea71f9ed
Allow not resolvable urls when rebinding setting is disabled
...
Now, when the dns rebinging setting is disabled, we will
allow urls that are not resolvable.
2019-09-05 06:07:17 +00:00
5738171aef
Fix broken master because of security merge
2019-07-29 20:58:44 +00:00
fe22704a20
Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq
2019-07-29 13:19:50 -05:00
e5bdcfbc9b
[ADD] outbound requests whitelist
...
Signed-off-by: Istvan szalai <istvan.szalai@savoirfairelinux.com>
2019-07-24 17:59:38 +00:00
f5c1cd4898
Fix Server Side Request Forgery mitigation bypass
...
When we can't resolve the hostname or it is invalid, we shouldn't
even perform the request. This fix also fixes the problem the
SSRF rebinding attack.
We can't stub feature flags outside example blocks. Nevertheless,
there are some actions that calls the UrlBlocker, that are performed
outside example blocks, ie: `set` instruction.
That's why we have to use some signalign mechanism outside the scope
of the specs.
2019-07-15 09:21:20 +02:00
28c76fb551
Don't use bang method when there is no safe method
...
https://github.com/rubocop-hq/ruby-style-guide#dangerous-method-bang
2019-07-12 07:04:44 +00:00
a1a0f8e6b0
Add DNS rebinding protection settings
2019-05-30 10:47:57 -03:00
a9bcddee4c
Protect Gitlab::HTTP against DNS rebinding attack
...
Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
blocked, and then uses the same IP to perform the actual request, while
passing the original hostname in the `Host` header and SSL SNI field.
2019-05-30 10:47:31 -03:00
d119d3d1b2
Align UrlValidator to validate_url gem implementation.
...
Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.
2019-04-11 06:29:07 +00:00
f40b5860d7
Add table and model for error tracking settings
2019-01-07 17:55:21 +00:00
72c0059407
Allow URLs to be validated as ascii_only
...
Restricts unicode characters and IDNA deviations
which could be used in a phishing attack
2018-12-06 15:18:18 +00:00
a9f5b22394
Merge branch 'security-11-5-fix-webhook-ssrf-ipv6' into 'security-11-5'
...
[11.5] Fix SSRF in project integrations
See merge request gitlab/gitlabhq!2611
2018-11-28 19:14:36 -05:00
c0e5d9afee
Merge branch 'security-fj-crlf-injection' into 'master'
...
[master] Fix CRLF issue in UrlValidator
See merge request gitlab/gitlabhq!2627
2018-11-28 19:14:06 -05:00
4bc6f2e3ac
Merge branch 'security-stored-xss-for-environments' into 'master'
...
[master] Stored XSS for Environments
Closes #2727
See merge request gitlab/gitlabhq!2594
2018-11-28 19:07:29 -05:00
cc571e18d3
Merge branch 'sh-block-other-localhost' into 'master'
...
Block additional localhost addresses in UrlBlocker
See merge request gitlab/gitlabhq!2487
2018-10-25 01:05:44 +00:00
c858f70d07
Enable frozen string for lib/gitlab/*.rb
2018-10-22 07:00:50 +00:00
b1d04cf9d5
Block loopback addresses in UrlBlocker
...
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51128
2018-09-05 22:04:23 -07:00
b3f7558750
Block link-local addresses in URLBlocker
...
Closes https://gitlab.com/gitlab-com/migration/issues/766
2018-08-12 22:34:34 -07:00
1418afc2d6
Avoid checking the user format in every url validation
2018-06-11 13:29:37 +00:00
840f80d48b
Add validation to webhook and service URLs to ensure they are not blocked because of SSRF
2018-06-01 11:43:53 +00:00
b290d929bc
Rename allow_private_networks to allow_local_network
2018-04-02 17:24:19 +02:00
b95918dda8
Make error messages even more descriptive
2018-04-02 17:20:18 +02:00
2e3bc6a941
Raise more descriptive errors when URLs are blocked
2018-04-02 17:20:01 +02:00
95ced3bb5f
Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'
...
Server Side Request Forgery in Services and Web Hooks
See merge request gitlab/gitlabhq!2337
2018-03-21 14:39:21 +00:00
89bd78352e
Merge branch 'ssrf-protections-round-2' into 'security-10-1'
...
Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
See merge request gitlab/gitlabhq!2219
(cherry picked from commit 4a1e73783d1bffa0c3
2017-11-08 20:11:08 -08:00
b296921681
Merge branch 'rs-alphanumeric-ssh-params' into 'security-9-4'
...
Ensure user and hostnames begin with an alnum character in UrlBlocker
See merge request !2138
2017-08-10 20:47:28 +01:00
83a0c39808
Merge branch 'ssrf' into 'security'
...
nil check for url_blocker?
See merge request !2076
2017-03-20 18:53:45 -07:00
65aafb9917
Merge branch 'ssrf' into 'security'
...
Protect server against SSRF in project import URLs
See merge request !2068
2017-03-20 18:53:04 -07:00
GitLab Bot
Francisco Javier López
Robert Speicher
Reuben Pereira
Oswaldo Ferreira
Douwe Maan
Thong Kuah
James Edwards-Jones
Steve Azzopardi
Cindy Pallares
Thiago Presa
gfyoung
Stan Hu
Douwe Maan
Rubén Dávila