Skip to content

G
gitlab-ce
Commit e6fbd09b authored by Thong Kuah's avatar Thong Kuah
Browse files
Options

Merge branch 'nmalcolm-337796-block-reserved-ip' into 'master' 

Add limited broadcast addr to local network block list in UrlBlocker

See merge request gitlab-org/gitlab!82571
parents 69faf526 9ba2dfbe
Hide whitespace changes
Inline Side-by-side
Showing with 49 additions and 0 deletions
lib/gitlab/url_blocker.rb
View file @ e6fbd09b
......@@ -153,6 +153,7 @@ module Gitlab
validate_local_network(address_info)
validate_link_local(address_info)
validate_shared_address(address_info)
validate_limited_broadcast_address(address_info)
end
end
......@@ -257,6 +258,17 @@ module Gitlab
raise BlockedUrlError, "Requests to the link local network are not allowed"
end
# Raises a BlockedUrlError if any IP in `addrs_info` is the limited
# broadcast address.
# https://datatracker.ietf.org/doc/html/rfc919#section-7
def validate_limited_broadcast_address(addrs_info)
blocked_ips = ["255.255.255.255"]
return if (blocked_ips & addrs_info.map(&:ip_address)).empty?
raise BlockedUrlError, "Requests to the limited broadcast address are not allowed"
end
def internal?(uri)
internal_web?(uri) || internal_shell?(uri)
end
......
spec/lib/gitlab/url_blocker_spec.rb
View file @ e6fbd09b
......@@ -366,6 +366,21 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
]
end
let(:limited_broadcast_address_variants) do
[
'255.255.255.255', # "normal" dotted decimal
'0377.0377.0377.0377', # Octal
'0377.00000000377.00377.0000377', # Still octal
'0xff.0xff.0xff.0xff', # hex
'0xffffffff', # still hex
'0xBaaaaaaaaaaaaaaaaffffffff', # padded hex
'255.255.255.255:65535', # with a port
'4294967295', # as an integer / dword
'[::ffff:ffff:ffff]', # short IPv6
'[0000:0000:0000:0000:0000:ffff:ffff:ffff]' # long IPv6
]
end
let(:fake_domain) { 'www.fakedomain.fake' }
shared_examples 'allows local requests' do |url_blocker_attributes|
......@@ -403,6 +418,12 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
expect(described_class).not_to be_blocked_url('http://[::ffff:a9fe:a864]', **url_blocker_attributes)
expect(described_class).not_to be_blocked_url('http://[fe80::c800:eff:fe74:8]', **url_blocker_attributes)
end
it 'allows limited broadcast address 255.255.255.255 and variants' do
limited_broadcast_address_variants.each do |variant|
expect(described_class).not_to be_blocked_url("https://#{variant}", **url_blocker_attributes), "Expected #{variant} to be allowed"
end
end
end
context 'true (default)' do
......@@ -435,6 +456,17 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
expect(described_class).to be_blocked_url('http://[fe80::c800:eff:fe74:8]', allow_local_network: false)
end
it 'blocks limited broadcast address 255.255.255.255 and variants' do
# Raise BlockedUrlError for invalid URLs.
# The padded hex version, for example, is a valid URL on Mac but
# not on Ubuntu.
stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
limited_broadcast_address_variants.each do |variant|
expect(described_class).to be_blocked_url("https://#{variant}", allow_local_network: false), "Expected #{variant} to be blocked"
end
end
context 'when local domain/IP is allowed' do
let(:url_blocker_attributes) do
{
......@@ -461,6 +493,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
'::ffff:169.254.168.100',
'::ffff:a9fe:a864',
'fe80::c800:eff:fe74:8',
'255.255.255.255',
# garbage IPs
'45645632345',
......@@ -482,6 +515,10 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
expect(described_class).to be_blocked_url(url, **attrs)
end
end
it 'allows the limited broadcast address 255.255.255.255' do
expect(described_class).not_to be_blocked_url('http://255.255.255.255', **url_blocker_attributes)
end
end
context 'with domains in allowlist' do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7