Merge branch 'security-include-directive-allows-ssrf-requests' into 'master'

[Master]: - Ensures SSRF requests are not allowed by include directive

See merge request gitlab/gitlab-ee!625

ee/changelogs/unreleased/security-include-directive-allows-ssrf-requests.yml

+---
+title: Fixes include directive to not allow SSRF requests
+merge_request:
+author:
+type: security

ee/lib/gitlab/ci/external/file/remote.rb

@@ -11,8 +11,8 @@ module Gitlab
 
             @content = strong_memoize(:content) do
               begin
-                Gitlab::HTTP.get(location, allow_local_requests: true)
-              rescue Gitlab::HTTP::Error, Timeout::Error, SocketError
+                Gitlab::HTTP.get(location)
+              rescue Gitlab::HTTP::Error, Timeout::Error, SocketError, Gitlab::HTTP::BlockedUrlError
                 nil
               end
             end

ee/spec/lib/gitlab/ci/external/file/remote_spec.rb

@@ -50,6 +50,14 @@ describe Gitlab::Ci::External::File::Remote do
         expect(remote_file.valid?).to be_falsy
       end
     end
+
+    context 'with an internal url' do
+      let(:location) { 'http://localhost:8080' }
+
+      it 'should be falsy' do
+        expect(remote_file.valid?).to be_falsy
+      end
+    end
   end
 
   describe "#content" do
@@ -84,6 +92,14 @@ describe Gitlab::Ci::External::File::Remote do
         expect(remote_file.content).to be_nil
       end
     end
+
+    context 'with an internal url' do
+      let(:location) { 'http://localhost:8080' }
+
+      it 'should be nil' do
+        expect(remote_file.content).to be_nil
+      end
+    end
   end
 
   describe "#error_message" do