• Francisco Javier López's avatar
    Fix Server Side Request Forgery mitigation bypass · de9b7a69
    Francisco Javier López authored
    When we can't resolve the hostname or it is invalid, we shouldn't
    even perform the request. This fix also fixes the problem the
    SSRF rebinding attack.
    
    We can't stub feature flags outside example blocks. Nevertheless,
    there are some actions that calls the UrlBlocker, that are performed
    outside example blocks, ie: `set` instruction.
    
    That's why we have to use some signalign mechanism outside the scope
    of the specs.
    de9b7a69
url_blocker.rb 7.56 KB