root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity
103,784 Commits 9,131 Branches 1,640 Tags 2 GiB
Commit Graph

32 Commits

Author SHA1 Message Date
GitLab Bot 580622bdb3 Add latest changes from gitlab-org/gitlab@master 2020-03-31 18:07:42 +00:00
GitLab Bot 78fe72d153 Add latest changes from gitlab-org/gitlab@master 2020-03-16 03:09:14 +00:00
GitLab Bot 1da3754b25 Add latest changes from gitlab-org/gitlab@master 2019-10-03 21:07:29 +00:00
GitLab Bot b7dfe2ae40 Add latest changes from gitlab-org/gitlab@master 2019-09-13 13:26:31 +00:00
Francisco Javier López b4ea71f9ed Allow not resolvable urls when rebinding setting is disabled 
Now, when the dns rebinging setting is disabled, we will
allow urls that are not resolvable.
 2019-09-05 06:07:17 +00:00
Francisco Javier López 5738171aef Fix broken master because of security merge 2019-07-29 20:58:44 +00:00
Robert Speicher fe22704a20
Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq 2019-07-29 13:19:50 -05:00
Reuben Pereira e5bdcfbc9b [ADD] outbound requests whitelist 
Signed-off-by: Istvan szalai <istvan.szalai@savoirfairelinux.com>
 2019-07-24 17:59:38 +00:00
Francisco Javier López f5c1cd4898
Fix Server Side Request Forgery mitigation bypass 
When we can't resolve the hostname or it is invalid, we shouldn't
even perform the request. This fix also fixes the problem the
SSRF rebinding attack.

We can't stub feature flags outside example blocks. Nevertheless,
there are some actions that calls the UrlBlocker, that are performed
outside example blocks, ie: `set` instruction.

That's why we have to use some signalign mechanism outside the scope
of the specs.
 2019-07-15 09:21:20 +02:00
Reuben Pereira 28c76fb551 Don't use bang method when there is no safe method 
https://github.com/rubocop-hq/ruby-style-guide#dangerous-method-bang
 2019-07-12 07:04:44 +00:00
Oswaldo Ferreira a1a0f8e6b0 Add DNS rebinding protection settings 2019-05-30 10:47:57 -03:00
Douwe Maan a9bcddee4c Protect Gitlab::HTTP against DNS rebinding attack 
Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
blocked, and then uses the same IP to perform the actual request, while
passing the original hostname in the `Host` header and SSL SNI field.
 2019-05-30 10:47:31 -03:00
Thong Kuah d119d3d1b2 Align UrlValidator to validate_url gem implementation. 
Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.
 2019-04-11 06:29:07 +00:00
Reuben Pereira f40b5860d7 Add table and model for error tracking settings 2019-01-07 17:55:21 +00:00
James Edwards-Jones 72c0059407 Allow URLs to be validated as ascii_only 
Restricts unicode characters and IDNA deviations
which could be used in a phishing attack
 2018-12-06 15:18:18 +00:00
Steve Azzopardi a9f5b22394
Merge branch 'security-11-5-fix-webhook-ssrf-ipv6' into 'security-11-5' 
[11.5] Fix SSRF in project integrations

See merge request gitlab/gitlabhq!2611
 2018-11-28 19:14:36 -05:00
Cindy Pallares c0e5d9afee
Merge branch 'security-fj-crlf-injection' into 'master' 
[master] Fix CRLF issue in UrlValidator

See merge request gitlab/gitlabhq!2627
 2018-11-28 19:14:06 -05:00
Cindy Pallares 4bc6f2e3ac
Merge branch 'security-stored-xss-for-environments' into 'master' 
[master] Stored XSS for Environments

Closes #2727

See merge request gitlab/gitlabhq!2594
 2018-11-28 19:07:29 -05:00
Thiago Presa cc571e18d3 Merge branch 'sh-block-other-localhost' into 'master' 
Block additional localhost addresses in UrlBlocker

See merge request gitlab/gitlabhq!2487
 2018-10-25 01:05:44 +00:00
gfyoung c858f70d07 Enable frozen string for lib/gitlab/*.rb 2018-10-22 07:00:50 +00:00
Stan Hu b1d04cf9d5 Block loopback addresses in UrlBlocker 
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51128
 2018-09-05 22:04:23 -07:00
Stan Hu b3f7558750 Block link-local addresses in URLBlocker 
Closes https://gitlab.com/gitlab-com/migration/issues/766
 2018-08-12 22:34:34 -07:00
Francisco Javier López 1418afc2d6 Avoid checking the user format in every url validation 2018-06-11 13:29:37 +00:00
Francisco Javier López 840f80d48b Add validation to webhook and service URLs to ensure they are not blocked because of SSRF 2018-06-01 11:43:53 +00:00
Douwe Maan b290d929bc
Rename allow_private_networks to allow_local_network 2018-04-02 17:24:19 +02:00
Douwe Maan b95918dda8
Make error messages even more descriptive 2018-04-02 17:20:18 +02:00
Douwe Maan 2e3bc6a941
Raise more descriptive errors when URLs are blocked 2018-04-02 17:20:01 +02:00
Douwe Maan 95ced3bb5f Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6' 
Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337
 2018-03-21 14:39:21 +00:00
Douwe Maan 89bd78352e Merge branch 'ssrf-protections-round-2' into 'security-10-1' 
Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions

See merge request gitlab/gitlabhq!2219

(cherry picked from commit 4a1e73783d)

1bffa0c3 Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
 2017-11-08 20:11:08 -08:00
James Edwards-Jones b296921681 Merge branch 'rs-alphanumeric-ssh-params' into 'security-9-4' 
Ensure user and hostnames begin with an alnum character in UrlBlocker

See merge request !2138
 2017-08-10 20:47:28 +01:00
Rubén Dávila 83a0c39808 Merge branch 'ssrf' into 'security' 
nil check for url_blocker?

See merge request !2076
 2017-03-20 18:53:45 -07:00
Douwe Maan 65aafb9917 Merge branch 'ssrf' into 'security' 
Protect server against SSRF in project import URLs

See merge request !2068
 2017-03-20 18:53:04 -07:00