Commit a1fc9259 authored by Peter Leitzen's avatar Peter Leitzen

Merge branch '219074-safe-link-validation' into 'master'

Block invalid urls in metrics dashboard links

See merge request gitlab-org/gitlab!34204
parents 6fd95fae 75434bcb
...@@ -13,7 +13,8 @@ module Metrics ...@@ -13,7 +13,8 @@ module Metrics
STAGES::EndpointInserter, STAGES::EndpointInserter,
STAGES::PanelIdsInserter, STAGES::PanelIdsInserter,
STAGES::Sorter, STAGES::Sorter,
STAGES::AlertsInserter STAGES::AlertsInserter,
STAGES::UrlValidator
].freeze ].freeze
def get_dashboard def get_dashboard
......
---
title: Add validation step on backend for metrics dashboard links
merge_request: 34204
author:
type: added
# frozen_string_literal: true
module Gitlab
module Metrics
module Dashboard
module Stages
class UrlValidator < BaseStage
def transform!
dashboard[:links]&.each do |link|
Gitlab::UrlBlocker.validate!(link[:url])
rescue Gitlab::UrlBlocker::BlockedUrlError
link[:url] = ''
end
end
end
end
end
end
end
...@@ -16,7 +16,8 @@ describe Gitlab::Metrics::Dashboard::Processor do ...@@ -16,7 +16,8 @@ describe Gitlab::Metrics::Dashboard::Processor do
Gitlab::Metrics::Dashboard::Stages::EndpointInserter, Gitlab::Metrics::Dashboard::Stages::EndpointInserter,
Gitlab::Metrics::Dashboard::Stages::Sorter, Gitlab::Metrics::Dashboard::Stages::Sorter,
Gitlab::Metrics::Dashboard::Stages::AlertsInserter, Gitlab::Metrics::Dashboard::Stages::AlertsInserter,
Gitlab::Metrics::Dashboard::Stages::PanelIdsInserter Gitlab::Metrics::Dashboard::Stages::PanelIdsInserter,
Gitlab::Metrics::Dashboard::Stages::UrlValidator
] ]
end end
...@@ -201,6 +202,27 @@ describe Gitlab::Metrics::Dashboard::Processor do ...@@ -201,6 +202,27 @@ describe Gitlab::Metrics::Dashboard::Processor do
it_behaves_like 'errors with message', 'Each "metric" must define one of :query or :query_range' it_behaves_like 'errors with message', 'Each "metric" must define one of :query or :query_range'
end end
describe 'validating links' do
context 'when the links contain a blocked url' do
let(:dashboard_yml_links) do
[{ 'url' => 'http://1.1.1.1.1' }, { 'url' => 'https://gitlab.com' }]
end
let(:expected) do
[{ url: '' }, { url: 'https://gitlab.com' }]
end
before do
stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
dashboard_yml['links'] = dashboard_yml_links
end
it 'replaces the blocked url with an empty string' do
expect(dashboard[:links]).to eq(expected)
end
end
end
end end
private private
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment