Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'

Server Side Request Forgery in Services and Web Hooks See merge request gitlab/gitlabhq!2337
author: Douwe Maan <douwe@gitlab.com> 2018-03-13 22:38:25 +0000
committer: Mark Fletcher <mark@gitlab.com> 2018-03-21 14:39:21 +0000
commit: 95ced3bb5fa52e166aa03ee592f63180601cbde7 (patch)
tree: 8e75e6ccf9a443ba004b11891b84518fd7cfe884 /app/validators
parent: 30c480c2b3f4709f592d8b095f8653df940f6845 (diff)
download: gitlab-ce-95ced3bb5fa52e166aa03ee592f63180601cbde7.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/app/validators/importable_url_validator.rb b/app/validators/importable_url_validator.rb
index 37a314adee6..3ec1594e202 100644
--- a/app/validators/importable_url_validator.rb
+++ b/app/validators/importable_url_validator.rb
@@ -4,7 +4,7 @@
 # protect against Server-side Request Forgery (SSRF).
 class ImportableUrlValidator < ActiveModel::EachValidator
   def validate_each(record, attribute, value)
-    if Gitlab::UrlBlocker.blocked_url?(value)
+    if Gitlab::UrlBlocker.blocked_url?(value, valid_ports: Project::VALID_IMPORT_PORTS)
       record.errors.add(attribute, "imports are not allowed from that URL")
     end
   end
author	Douwe Maan <douwe@gitlab.com>	2018-03-13 22:38:25 +0000
committer	Mark Fletcher <mark@gitlab.com>	2018-03-21 14:39:21 +0000
commit	95ced3bb5fa52e166aa03ee592f63180601cbde7 (patch)
tree	8e75e6ccf9a443ba004b11891b84518fd7cfe884 /app/validators
parent	30c480c2b3f4709f592d8b095f8653df940f6845 (diff)
download	gitlab-ce-95ced3bb5fa52e166aa03ee592f63180601cbde7.tar.gz