Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
5aa70c05
Commit
5aa70c05
authored
Mar 09, 2020
by
Nick Thomas
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'move-whitelist-specs' into 'master'
Move whitelist specs See merge request gitlab-org/gitlab!26673
parents
b841f858
fa107daf
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
57 additions
and
55 deletions
+57
-55
spec/lib/gitlab/url_blocker_spec.rb
spec/lib/gitlab/url_blocker_spec.rb
+11
-55
spec/lib/gitlab/url_blockers/url_whitelist_spec.rb
spec/lib/gitlab/url_blockers/url_whitelist_spec.rb
+46
-0
No files found.
spec/lib/gitlab/url_blocker_spec.rb
View file @
5aa70c05
...
@@ -501,64 +501,20 @@ describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
...
@@ -501,64 +501,20 @@ describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
it_behaves_like
'dns rebinding checks'
it_behaves_like
'dns rebinding checks'
end
end
end
end
context
'with ip ranges in whitelist'
do
let
(
:ipv4_range
)
{
'127.0.0.0/28'
}
let
(
:ipv6_range
)
{
'fd84:6d02:f6d8:c89e::/124'
}
let
(
:whitelist
)
do
[
ipv4_range
,
ipv6_range
]
end
it
'blocks ipv4 range when not in whitelist'
do
stub_application_setting
(
outbound_local_requests_whitelist:
[])
IPAddr
.
new
(
ipv4_range
).
to_range
.
to_a
.
each
do
|
ip
|
expect
(
described_class
).
to
be_blocked_url
(
"http://
#{
ip
}
"
,
url_blocker_attributes
)
end
end
it
'allows all ipv4s in the range when in whitelist'
do
IPAddr
.
new
(
ipv4_range
).
to_range
.
to_a
.
each
do
|
ip
|
expect
(
described_class
).
not_to
be_blocked_url
(
"http://
#{
ip
}
"
,
url_blocker_attributes
)
end
end
it
'blocks ipv6 range when not in whitelist'
do
stub_application_setting
(
outbound_local_requests_whitelist:
[])
IPAddr
.
new
(
ipv6_range
).
to_range
.
to_a
.
each
do
|
ip
|
expect
(
described_class
).
to
be_blocked_url
(
"http://[
#{
ip
}
]"
,
url_blocker_attributes
)
end
end
it
'allows all ipv6s in the range when in whitelist'
do
IPAddr
.
new
(
ipv6_range
).
to_range
.
to_a
.
each
do
|
ip
|
expect
(
described_class
).
not_to
be_blocked_url
(
"http://[
#{
ip
}
]"
,
url_blocker_attributes
)
end
end
it
'blocks IPs outside the range'
do
expect
(
described_class
).
to
be_blocked_url
(
"http://[fd84:6d02:f6d8:c89e:0:0:1:f]"
,
url_blocker_attributes
)
expect
(
described_class
).
to
be_blocked_url
(
"http://127.0.1.15"
,
url_blocker_attributes
)
end
end
end
end
end
end
def
stub_domain_resolv
(
domain
,
ip
,
&
block
)
def
stub_domain_resolv
(
domain
,
ip
,
port
=
80
,
&
block
)
address
=
double
(
ip_address:
ip
,
ipv4_private?:
true
,
ipv6_link_local?:
false
,
ipv4_loopback?:
false
,
ipv6_loopback?:
false
,
ipv4?:
false
)
address
=
instance_double
(
Addrinfo
,
allow
(
Addrinfo
).
to
receive
(
:getaddrinfo
).
with
(
domain
,
any_args
).
and_return
([
address
])
ip_address:
ip
,
ipv4_private?:
true
,
ipv6_linklocal?:
false
,
ipv4_loopback?:
false
,
ipv6_loopback?:
false
,
ipv4?:
false
,
ip_port:
port
)
allow
(
Addrinfo
).
to
receive
(
:getaddrinfo
).
with
(
domain
,
port
,
any_args
).
and_return
([
address
])
allow
(
address
).
to
receive
(
:ipv6_v4mapped?
).
and_return
(
false
)
allow
(
address
).
to
receive
(
:ipv6_v4mapped?
).
and_return
(
false
)
yield
yield
...
...
spec/lib/gitlab/url_blockers/url_whitelist_spec.rb
View file @
5aa70c05
...
@@ -68,5 +68,51 @@ describe Gitlab::UrlBlockers::UrlWhitelist do
...
@@ -68,5 +68,51 @@ describe Gitlab::UrlBlockers::UrlWhitelist do
it
'returns false when ip is blank'
do
it
'returns false when ip is blank'
do
expect
(
described_class
).
not_to
be_ip_whitelisted
(
nil
)
expect
(
described_class
).
not_to
be_ip_whitelisted
(
nil
)
end
end
context
'with ip ranges in whitelist'
do
let
(
:ipv4_range
)
{
'127.0.0.0/28'
}
let
(
:ipv6_range
)
{
'fd84:6d02:f6d8:c89e::/124'
}
let
(
:whitelist
)
do
[
ipv4_range
,
ipv6_range
]
end
it
'does not whitelist ipv4 range when not in whitelist'
do
stub_application_setting
(
outbound_local_requests_whitelist:
[])
IPAddr
.
new
(
ipv4_range
).
to_range
.
to_a
.
each
do
|
ip
|
expect
(
described_class
).
not_to
be_ip_whitelisted
(
ip
.
to_s
)
end
end
it
'whitelists all ipv4s in the range when in whitelist'
do
IPAddr
.
new
(
ipv4_range
).
to_range
.
to_a
.
each
do
|
ip
|
expect
(
described_class
).
to
be_ip_whitelisted
(
ip
.
to_s
)
end
end
it
'does not whitelist ipv6 range when not in whitelist'
do
stub_application_setting
(
outbound_local_requests_whitelist:
[])
IPAddr
.
new
(
ipv6_range
).
to_range
.
to_a
.
each
do
|
ip
|
expect
(
described_class
).
not_to
be_ip_whitelisted
(
ip
.
to_s
)
end
end
it
'whitelists all ipv6s in the range when in whitelist'
do
IPAddr
.
new
(
ipv6_range
).
to_range
.
to_a
.
each
do
|
ip
|
expect
(
described_class
).
to
be_ip_whitelisted
(
ip
.
to_s
)
end
end
it
'does not whitelist IPs outside the range'
do
expect
(
described_class
).
not_to
be_ip_whitelisted
(
"fd84:6d02:f6d8:c89e:0:0:1:f"
)
expect
(
described_class
).
not_to
be_ip_whitelisted
(
"127.0.1.15"
)
end
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment