Ensures SSRF requests are not allowed by include directive

'allow_local_requests' argument was removed from File::Remote in the external module. Related to https://gitlab.com/gitlab-org/gitlab-ee/issues/6002

Ensures SSRF requests are not allowed by include directive
'allow_local_requests' argument was removed from File::Remote in the external module. Related to https://gitlab.com/gitlab-org/gitlab-ee/issues/6002
b44fdca0 · Mayra Cabrera · d7f95be9 · b44fdca0 · b44fdca0
Commit b44fdca0 authored May 15, 2018 by Mayra Cabrera
2 changed files
--- a/ee/changelogs/unreleased/security-include-directive-allows-ssrf-requests.yml
+++ b/ee/changelogs/unreleased/security-include-directive-allows-ssrf-requests.yml
+---
+title: Fixes include directive to not allow SSRF requests
+merge_request:
+author:
+type: security
--- a/ee/lib/gitlab/ci/external/file/remote.rb
+++ b/ee/lib/gitlab/ci/external/file/remote.rb
@@ -11,7 +11,7 @@ module Gitlab

            @content = strong_memoize(:content) do
              begin
-                Gitlab::HTTP.get(location, allow_local_requests: true)
+                Gitlab::HTTP.get(location)
              rescue Gitlab::HTTP::Error, Timeout::Error, SocketError
                nil
              end