Commit fe419949 authored by Douwe Maan's avatar Douwe Maan Committed by Winnie Hellmann

Merge branch 'ssrf-protections-round-2-9-5' into 'security-9-5'

eplace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions (9-5)

See merge request gitlab/gitlabhq!2221

(cherry picked from commit 53cc25eb3d45c782b5085524a8976f034ef18781)

96555882 Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
parent 19893b0a
...@@ -22,10 +22,12 @@ module Gitlab ...@@ -22,10 +22,12 @@ module Gitlab
return true if blocked_user_or_hostname?(uri.user) return true if blocked_user_or_hostname?(uri.user)
return true if blocked_user_or_hostname?(uri.hostname) return true if blocked_user_or_hostname?(uri.hostname)
server_ips = Resolv.getaddresses(uri.hostname) server_ips = Addrinfo.getaddrinfo(uri.hostname, 80, nil, :STREAM).map(&:ip_address)
return true if (blocked_ips & server_ips).any? return true if (blocked_ips & server_ips).any?
rescue Addressable::URI::InvalidURIError rescue Addressable::URI::InvalidURIError
return true return true
rescue SocketError
return false
end end
false false
......
...@@ -20,6 +20,22 @@ describe Gitlab::UrlBlocker do ...@@ -20,6 +20,22 @@ describe Gitlab::UrlBlocker do
expect(described_class.blocked_url?('https://gitlab.com:25/foo/foo.git')).to be true expect(described_class.blocked_url?('https://gitlab.com:25/foo/foo.git')).to be true
end end
it 'returns true for alternative version of 127.0.0.1 (0177.1)' do
expect(described_class.blocked_url?('https://0177.1:65535/foo/foo.git')).to be true
end
it 'returns true for alternative version of 127.0.0.1 (0x7f.1)' do
expect(described_class.blocked_url?('https://0x7f.1:65535/foo/foo.git')).to be true
end
it 'returns true for alternative version of 127.0.0.1 (2130706433)' do
expect(described_class.blocked_url?('https://2130706433:65535/foo/foo.git')).to be true
end
it 'returns true for alternative version of 127.0.0.1 (127.000.000.001)' do
expect(described_class.blocked_url?('https://127.000.000.001:65535/foo/foo.git')).to be true
end
it 'returns true for a non-alphanumeric hostname' do it 'returns true for a non-alphanumeric hostname' do
stub_resolv stub_resolv
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment