Add latest changes from gitlab-org/security/gitlab@13-3-stable-ee

05aac11a · GitLab Bot · d40003af · 05aac11a · 05aac11a · 05aac11a
Commit 05aac11a authored Sep 01, 2020 by GitLab Bot
3 changed files
--- a/app/services/projects/update_remote_mirror_service.rb
+++ b/app/services/projects/update_remote_mirror_service.rb
@@ -7,6 +7,10 @@ module Projects
    def execute(remote_mirror, tries)
      return success unless remote_mirror.enabled?
+      if Gitlab::UrlBlocker.blocked_url?(CGI.unescape(Gitlab::UrlSanitizer.sanitize(remote_mirror.url)))
+        return error("The remote mirror URL is invalid.")
+      end
      update_mirror(remote_mirror)
      success

--- a/changelogs/unreleased/215879-check-validity-of-repository-mirror-urls.yml
+++ b/changelogs/unreleased/215879-check-validity-of-repository-mirror-urls.yml
+---
+title: Check validity of project's import_url before mirroring repository
+merge_request:
+author:
+type: security
--- a/spec/services/projects/update_remote_mirror_service_spec.rb
+++ b/spec/services/projects/update_remote_mirror_service_spec.rb
@@ -56,6 +56,40 @@ RSpec.describe Projects::UpdateRemoteMirrorService do
      expect(remote_mirror.last_error).to include('Badly broken')
    end
+    context 'when the URL is blocked' do
+      before do
+        allow(Gitlab::UrlBlocker).to receive(:blocked_url?).and_return(true)
+      end
+      it 'fails and returns error status' do
+        expect(execute!).to eq(status: :error, message: 'The remote mirror URL is invalid.')
+      end
+    end
+    context "when given URLs containing escaped elements" do
+      using RSpec::Parameterized::TableSyntax
+      where(:url, :result_status) do
+        "https://user:0a%23@test.example.com/project.git"                               | :success
+        "https://git.example.com:1%2F%2F@source.developers.google.com/project.git"      | :success
+        CGI.escape("git://localhost:1234/some-path?some-query=some-val\#@example.com/") | :error
+        CGI.escape(CGI.escape("https://user:0a%23@test.example.com/project.git"))       | :error
+      end
+      with_them do
+        before do
+          allow(remote_mirror).to receive(:url).and_return(url)
+          allow(service).to receive(:update_mirror).with(remote_mirror).and_return(true)
+        end
+        it "returns expected status" do
+          result = execute!
+          expect(result[:status]).to eq(result_status)
+        end
+      end
+    end
    context 'when the update fails because of a `Gitlab::Git::CommandError`' do
      before do
        allow(remote_mirror).to receive(:update_repository)