root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity
98,713 Commits 9,131 Branches 1,640 Tags 2 GiB
Commit Graph

24 Commits

Author SHA1 Message Date
Reuben Pereira e5bdcfbc9b [ADD] outbound requests whitelist 
Signed-off-by: Istvan szalai <istvan.szalai@savoirfairelinux.com>
 2019-07-24 17:59:38 +00:00
Reuben Pereira 28c76fb551 Don't use bang method when there is no safe method 
https://github.com/rubocop-hq/ruby-style-guide#dangerous-method-bang
 2019-07-12 07:04:44 +00:00
Oswaldo Ferreira a1a0f8e6b0 Add DNS rebinding protection settings 2019-05-30 10:47:57 -03:00
Douwe Maan a9bcddee4c Protect Gitlab::HTTP against DNS rebinding attack 
Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
blocked, and then uses the same IP to perform the actual request, while
passing the original hostname in the `Host` header and SSL SNI field.
 2019-05-30 10:47:31 -03:00
Thong Kuah d119d3d1b2 Align UrlValidator to validate_url gem implementation. 
Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.
 2019-04-11 06:29:07 +00:00
Reuben Pereira f40b5860d7 Add table and model for error tracking settings 2019-01-07 17:55:21 +00:00
James Edwards-Jones 72c0059407 Allow URLs to be validated as ascii_only 
Restricts unicode characters and IDNA deviations
which could be used in a phishing attack
 2018-12-06 15:18:18 +00:00
Steve Azzopardi a9f5b22394
Merge branch 'security-11-5-fix-webhook-ssrf-ipv6' into 'security-11-5' 
[11.5] Fix SSRF in project integrations

See merge request gitlab/gitlabhq!2611
 2018-11-28 19:14:36 -05:00
Cindy Pallares c0e5d9afee
Merge branch 'security-fj-crlf-injection' into 'master' 
[master] Fix CRLF issue in UrlValidator

See merge request gitlab/gitlabhq!2627
 2018-11-28 19:14:06 -05:00
Cindy Pallares 4bc6f2e3ac
Merge branch 'security-stored-xss-for-environments' into 'master' 
[master] Stored XSS for Environments

Closes #2727

See merge request gitlab/gitlabhq!2594
 2018-11-28 19:07:29 -05:00
Thiago Presa cc571e18d3 Merge branch 'sh-block-other-localhost' into 'master' 
Block additional localhost addresses in UrlBlocker

See merge request gitlab/gitlabhq!2487
 2018-10-25 01:05:44 +00:00
gfyoung c858f70d07 Enable frozen string for lib/gitlab/*.rb 2018-10-22 07:00:50 +00:00
Stan Hu b1d04cf9d5 Block loopback addresses in UrlBlocker 
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51128
 2018-09-05 22:04:23 -07:00
Stan Hu b3f7558750 Block link-local addresses in URLBlocker 
Closes https://gitlab.com/gitlab-com/migration/issues/766
 2018-08-12 22:34:34 -07:00
Francisco Javier López 1418afc2d6 Avoid checking the user format in every url validation 2018-06-11 13:29:37 +00:00
Francisco Javier López 840f80d48b Add validation to webhook and service URLs to ensure they are not blocked because of SSRF 2018-06-01 11:43:53 +00:00
Douwe Maan b290d929bc
Rename allow_private_networks to allow_local_network 2018-04-02 17:24:19 +02:00
Douwe Maan b95918dda8
Make error messages even more descriptive 2018-04-02 17:20:18 +02:00
Douwe Maan 2e3bc6a941
Raise more descriptive errors when URLs are blocked 2018-04-02 17:20:01 +02:00
Douwe Maan 95ced3bb5f Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6' 
Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337
 2018-03-21 14:39:21 +00:00
Douwe Maan 89bd78352e Merge branch 'ssrf-protections-round-2' into 'security-10-1' 
Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions

See merge request gitlab/gitlabhq!2219

(cherry picked from commit 4a1e73783d)

1bffa0c3 Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
 2017-11-08 20:11:08 -08:00
James Edwards-Jones b296921681 Merge branch 'rs-alphanumeric-ssh-params' into 'security-9-4' 
Ensure user and hostnames begin with an alnum character in UrlBlocker

See merge request !2138
 2017-08-10 20:47:28 +01:00
Rubén Dávila 83a0c39808 Merge branch 'ssrf' into 'security' 
nil check for url_blocker?

See merge request !2076
 2017-03-20 18:53:45 -07:00
Douwe Maan 65aafb9917 Merge branch 'ssrf' into 'security' 
Protect server against SSRF in project import URLs

See merge request !2068
 2017-03-20 18:53:04 -07:00