Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
8d628223
Commit
8d628223
authored
Feb 01, 2021
by
GitLab Bot
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee
parent
33844e18
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
23 additions
and
1 deletion
+23
-1
changelogs/unreleased/security-ssrf-outbound-request.yml
changelogs/unreleased/security-ssrf-outbound-request.yml
+5
-0
lib/gitlab/url_blocker.rb
lib/gitlab/url_blocker.rb
+3
-1
spec/lib/gitlab/url_blocker_spec.rb
spec/lib/gitlab/url_blocker_spec.rb
+15
-0
No files found.
changelogs/unreleased/security-ssrf-outbound-request.yml
0 → 100644
View file @
8d628223
---
title
:
Fix DNS rebinding protection bypass when allowing an IP address in Outbound Requests setting
merge_request
:
author
:
type
:
security
lib/gitlab/url_blocker.rb
View file @
8d628223
...
...
@@ -49,10 +49,12 @@ module Gitlab
return
[
uri
,
nil
]
unless
address_info
ip_address
=
ip_address
(
address_info
)
return
[
uri
,
nil
]
if
domain_allowed?
(
uri
)
||
ip_allowed?
(
ip_address
,
port:
get_port
(
uri
))
return
[
uri
,
nil
]
if
domain_allowed?
(
uri
)
protected_uri_with_hostname
=
enforce_uri_hostname
(
ip_address
,
uri
,
dns_rebind_protection
)
return
protected_uri_with_hostname
if
ip_allowed?
(
ip_address
,
port:
get_port
(
uri
))
# Allow url from the GitLab instance itself but only for the configured hostname and ports
return
protected_uri_with_hostname
if
internal?
(
uri
)
...
...
spec/lib/gitlab/url_blocker_spec.rb
View file @
8d628223
...
...
@@ -91,6 +91,21 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
end
end
context
'DNS rebinding protection with IP allowed'
do
let
(
:import_url
)
{
'http://a.192.168.0.120.3times.127.0.0.1.1time.repeat.rebind.network:9121/scrape?target=unix:///var/opt/gitlab/redis/redis.socket&check-keys=*'
}
before
do
stub_dns
(
import_url
,
ip_address:
'192.168.0.120'
)
allow
(
Gitlab
::
UrlBlockers
::
UrlAllowlist
).
to
receive
(
:ip_allowed?
).
and_return
(
true
)
end
it_behaves_like
'validates URI and hostname'
do
let
(
:expected_uri
)
{
'http://192.168.0.120:9121/scrape?target=unix:///var/opt/gitlab/redis/redis.socket&check-keys=*'
}
let
(
:expected_hostname
)
{
'a.192.168.0.120.3times.127.0.0.1.1time.repeat.rebind.network'
}
end
end
context
'disabled DNS rebinding protection'
do
subject
{
described_class
.
validate!
(
import_url
,
dns_rebind_protection:
false
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment