diff options
| author | Bob Van Landuyt <bob@gitlab.com> | 2018-09-24 15:47:29 +0000 |
|---|---|---|
| committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-09-24 18:00:38 +0200 |
| commit | 2952d0d8500f2a83d0e712a7b5c6b71a8d1172ae (patch) | |
| tree | 26ec0c0b7317c011e09585550de2938c34660c08 /spec | |
| parent | 9730d13ba01cba7bd3c8e32265fd5d286218b27a (diff) | |
| download | gitlab-ce-2952d0d8500f2a83d0e712a7b5c6b71a8d1172ae.tar.gz | |
Merge branch 'sh-sh-block-other-localhost-11-2' into 'security-11-2'
Block loopback addresses in UrlBlocker (11.2 port)
See merge request gitlab/gitlabhq!2522
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/lib/gitlab/url_blocker_spec.rb | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/spec/lib/gitlab/url_blocker_spec.rb b/spec/lib/gitlab/url_blocker_spec.rb index 624e2add860..8df0facdab3 100644 --- a/spec/lib/gitlab/url_blocker_spec.rb +++ b/spec/lib/gitlab/url_blocker_spec.rb @@ -29,6 +29,16 @@ describe Gitlab::UrlBlocker do expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git', protocols: ['http'])).to be true end + it 'returns true for localhost IPs' do + expect(described_class.blocked_url?('https://0.0.0.0/foo/foo.git')).to be true + expect(described_class.blocked_url?('https://[::1]/foo/foo.git')).to be true + expect(described_class.blocked_url?('https://127.0.0.1/foo/foo.git')).to be true + end + + it 'returns true for loopback IP' do + expect(described_class.blocked_url?('https://127.0.0.2/foo/foo.git')).to be true + end + it 'returns true for alternative version of 127.0.0.1 (0177.1)' do expect(described_class.blocked_url?('https://0177.1:65535/foo/foo.git')).to be true end @@ -84,6 +94,16 @@ describe Gitlab::UrlBlocker do end end + it 'allows localhost endpoints' do + expect(described_class).not_to be_blocked_url('http://0.0.0.0', allow_localhost: true) + expect(described_class).not_to be_blocked_url('http://localhost', allow_localhost: true) + expect(described_class).not_to be_blocked_url('http://127.0.0.1', allow_localhost: true) + end + + it 'allows loopback endpoints' do + expect(described_class).not_to be_blocked_url('http://127.0.0.2', allow_localhost: true) + end + it 'allows IPv4 link-local endpoints' do expect(described_class).not_to be_blocked_url('http://169.254.169.254') expect(described_class).not_to be_blocked_url('http://169.254.168.100') @@ -122,7 +142,7 @@ describe Gitlab::UrlBlocker do end def stub_domain_resolv(domain, ip) - allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true, ipv6_link_local?: false)]) + allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true, ipv6_link_local?: false, ipv4_loopback?: false, ipv6_loopback?: false)]) end def unstub_domain_resolv |