Block request to :80 and :443 when app is on non-default port

2a8c9054 · Illya Klymov · GitLab Release Tools Bot · 2b5e3a6a · 2a8c9054 · 2a8c9054
Commit 2a8c9054 authored Jan 04, 2022 by Illya Klymov Committed by GitLab Release Tools Bot Jan 04, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 20 deletions

lib/gitlab/url_blocker.rb lib/gitlab/url_blocker.rb +2 -2

spec/lib/gitlab/url_blocker_spec.rb spec/lib/gitlab/url_blocker_spec.rb +38 -18

No files found.
--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -252,13 +252,13 @@ module Gitlab
      def internal_web?(uri)
        uri.scheme == config.gitlab.protocol &&
          uri.hostname == config.gitlab.host &&
-          (uri.port.blank? || uri.port == config.gitlab.port)
+          get_port(uri) == config.gitlab.port
      end

      def internal_shell?(uri)
        uri.scheme == 'ssh' &&
          uri.hostname == config.gitlab_shell.ssh_host &&
-          (uri.port.blank? || uri.port == config.gitlab_shell.ssh_port)
+          get_port(uri) == config.gitlab_shell.ssh_port
      end

      def domain_allowed?(uri)

--- a/spec/lib/gitlab/url_blocker_spec.rb
+++ b/spec/lib/gitlab/url_blocker_spec.rb
@@ -531,24 +531,6 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
          end
        end
      end
-
-      def stub_domain_resolv(domain, ip, port = 80, &block)
-        address = instance_double(Addrinfo,
-          ip_address: ip,
-          ipv4_private?: true,
-          ipv6_linklocal?: false,
-          ipv4_loopback?: false,
-          ipv6_loopback?: false,
-          ipv4?: false,
-          ip_port: port
-        )
-        allow(Addrinfo).to receive(:getaddrinfo).with(domain, port, any_args).and_return([address])
-        allow(address).to receive(:ipv6_v4mapped?).and_return(false)
-
-        yield
-
-        allow(Addrinfo).to receive(:getaddrinfo).and_call_original
-      end
    end

    context 'when enforce_user is' do
@@ -611,6 +593,44 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do

      expect(described_class).to be_blocked_url('http://foobar.x')
    end
+
+    context 'when gitlab is running on a non-default port' do
+      let(:gitlab_port) { 3000 }
+
+      before do
+        stub_config(gitlab: { protocol: 'http', host: 'gitlab.local', port: gitlab_port })
+      end
+
+      it 'returns true for url targeting the wrong port' do
+        stub_domain_resolv('gitlab.local', '127.0.0.1') do
+          expect(described_class).to be_blocked_url("http://gitlab.local/foo")
+        end
+      end
+
+      it 'does not block url on gitlab port' do
+        stub_domain_resolv('gitlab.local', '127.0.0.1') do
+          expect(described_class).not_to be_blocked_url("http://gitlab.local:#{gitlab_port}/foo")
+        end
+      end
+    end
+
+    def stub_domain_resolv(domain, ip, port = 80, &block)
+      address = instance_double(Addrinfo,
+        ip_address: ip,
+        ipv4_private?: true,
+        ipv6_linklocal?: false,
+        ipv4_loopback?: false,
+        ipv6_loopback?: false,
+        ipv4?: false,
+        ip_port: port
+      )
+      allow(Addrinfo).to receive(:getaddrinfo).with(domain, port, any_args).and_return([address])
+      allow(address).to receive(:ipv6_v4mapped?).and_return(false)
+
+      yield
+
+      allow(Addrinfo).to receive(:getaddrinfo).and_call_original
+    end
  end

  describe '#validate_hostname' do