Merge branch 'ssrf-protections-round-2' into 'security-10-1'

Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions See merge request gitlab/gitlabhq!2219 (cherry picked from commit 4a1e73783d5480aa514db7b53e10c075f95580b5) 1bffa0c3 Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions

Merge branch 'ssrf-protections-round-2' into 'security-10-1'
Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions See merge request gitlab/gitlabhq!2219 (cherry picked from commit 4a1e73783d5480aa514db7b53e10c075f95580b5) 1bffa0c3 Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
89bd7835 · Douwe Maan · Michael Kozono · 0c3877a4 · 89bd7835 · 89bd7835
Commit 89bd7835 authored Nov 07, 2017 by Douwe Maan Committed by Michael Kozono Nov 08, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 1 deletion

lib/gitlab/url_blocker.rb lib/gitlab/url_blocker.rb +3 -1

spec/lib/gitlab/url_blocker_spec.rb spec/lib/gitlab/url_blocker_spec.rb +16 -0

No files found.
--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -22,10 +22,12 @@ module Gitlab
          return true if blocked_user_or_hostname?(uri.user)
          return true if blocked_user_or_hostname?(uri.hostname)

-          server_ips = Resolv.getaddresses(uri.hostname)
+          server_ips = Addrinfo.getaddrinfo(uri.hostname, 80, nil, :STREAM).map(&:ip_address)
          return true if (blocked_ips & server_ips).any?
        rescue Addressable::URI::InvalidURIError
          return true
+        rescue SocketError
+          return false
        end

        false

--- a/spec/lib/gitlab/url_blocker_spec.rb
+++ b/spec/lib/gitlab/url_blocker_spec.rb
@@ -20,6 +20,22 @@ describe Gitlab::UrlBlocker do
      expect(described_class.blocked_url?('https://gitlab.com:25/foo/foo.git')).to be true
    end

+    it 'returns true for alternative version of 127.0.0.1 (0177.1)' do
+      expect(described_class.blocked_url?('https://0177.1:65535/foo/foo.git')).to be true
+    end
+
+    it 'returns true for alternative version of 127.0.0.1 (0x7f.1)' do
+      expect(described_class.blocked_url?('https://0x7f.1:65535/foo/foo.git')).to be true
+    end
+
+    it 'returns true for alternative version of 127.0.0.1 (2130706433)' do
+      expect(described_class.blocked_url?('https://2130706433:65535/foo/foo.git')).to be true
+    end
+
+    it 'returns true for alternative version of 127.0.0.1 (127.000.000.001)' do
+      expect(described_class.blocked_url?('https://127.000.000.001:65535/foo/foo.git')).to be true
+    end
+
    it 'returns true for a non-alphanumeric hostname' do
      stub_resolv