Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-03-26 21:08:03 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-03-26 21:08:03 +0300
commit: dc003cd08b4cb72fecbb03aa978ea0c53c03aeb4 (patch)
tree: 5e77ce228c33619201ac6706b9789d4a2eed2a3b /app/controllers/import
parent: e80e0dd64fbb04f60394cb1bb08e17dbcb22b8ce (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/app/controllers/import/fogbugz_controller.rb b/app/controllers/import/fogbugz_controller.rb
index 28ead8d44da..4fb6efde7ff 100644
--- a/app/controllers/import/fogbugz_controller.rb
+++ b/app/controllers/import/fogbugz_controller.rb
@@ -3,6 +3,7 @@
 class Import::FogbugzController < Import::BaseController
   before_action :verify_fogbugz_import_enabled
   before_action :user_map, only: [:new_user_map, :create_user_map]
+  before_action :verify_blocked_uri, only: :callback
 
   rescue_from Fogbugz::AuthenticationException, with: :fogbugz_unauthorized
 
@@ -106,4 +107,21 @@ class Import::FogbugzController < Import::BaseController
   def verify_fogbugz_import_enabled
     render_404 unless fogbugz_import_enabled?
   end
+
+  def verify_blocked_uri
+    Gitlab::UrlBlocker.validate!(
+      params[:uri],
+      {
+        allow_localhost: allow_local_requests?,
+        allow_local_network: allow_local_requests?,
+        schemes: %w(http https)
+      }
+    )
+  rescue Gitlab::UrlBlocker::BlockedUrlError => e
+    redirect_to new_import_fogbugz_url, alert: _('Specified URL cannot be used: "%{reason}"') % { reason: e.message }
+  end
+
+  def allow_local_requests?
+    Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?
+  end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-03-26 21:08:03 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-03-26 21:08:03 +0300
commit	dc003cd08b4cb72fecbb03aa978ea0c53c03aeb4 (patch)
tree	5e77ce228c33619201ac6706b9789d4a2eed2a3b /app/controllers/import
parent	e80e0dd64fbb04f60394cb1bb08e17dbcb22b8ce (diff)