Add latest changes from gitlab-org/gitlab@13-6-stable-eev13.6.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-11-19 11:27:35 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-11-19 11:27:35 +0300
commit: 7e9c479f7de77702622631cff2628a9c8dcbc627 (patch)
tree: c8f718a08e110ad7e1894510980d2155a6549197 /app/services/import/github_service.rb
parent: e852b0ae16db4052c1c567d9efa4facc81146e88 (diff)
1 files changed, 23 insertions, 0 deletions
diff --git a/app/services/import/github_service.rb b/app/services/import/github_service.rb
index a2923b1e4f9..948dba2d206 100644
--- a/app/services/import/github_service.rb
+++ b/app/services/import/github_service.rb
@@ -6,6 +6,10 @@ module Import
     attr_reader :params, :current_user
 
     def execute(access_params, provider)
+      if blocked_url?
+        return log_and_return_error("Invalid URL: #{url}", :bad_request)
+      end
+
       unless authorized?
         return error(_('This namespace has already been taken! Please choose another one.'), :unprocessable_entity)
       end
@@ -56,6 +60,25 @@ module Import
       can?(current_user, :create_projects, target_namespace)
     end
 
+    def url
+      @url ||= params[:github_hostname]
+    end
+
+    def allow_local_requests?
+      Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?
+    end
+
+    def blocked_url?
+      Gitlab::UrlBlocker.blocked_url?(
+        url,
+        {
+          allow_localhost: allow_local_requests?,
+          allow_local_network: allow_local_requests?,
+          schemes: %w(http https)
+        }
+      )
+    end
+
     private
 
     def log_error(exception)
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-11-19 11:27:35 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-11-19 11:27:35 +0300
commit	7e9c479f7de77702622631cff2628a9c8dcbc627 (patch)
tree	c8f718a08e110ad7e1894510980d2155a6549197 /app/services/import/github_service.rb
parent	e852b0ae16db4052c1c567d9efa4facc81146e88 (diff)