diff options
| author | Douwe Maan <douwe@gitlab.com> | 2018-03-14 01:38:25 +0300 |
|---|---|---|
| committer | Mark Fletcher <mark@gitlab.com> | 2018-03-21 17:39:21 +0300 |
| commit | 95ced3bb5fa52e166aa03ee592f63180601cbde7 (patch) | |
| tree | 8e75e6ccf9a443ba004b11891b84518fd7cfe884 /app/validators | |
| parent | 30c480c2b3f4709f592d8b095f8653df940f6845 (diff) | |
Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'
Server Side Request Forgery in Services and Web Hooks
See merge request gitlab/gitlabhq!2337
Diffstat (limited to 'app/validators')
| -rw-r--r-- | app/validators/importable_url_validator.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/validators/importable_url_validator.rb b/app/validators/importable_url_validator.rb index 37a314adee6..3ec1594e202 100644 --- a/app/validators/importable_url_validator.rb +++ b/app/validators/importable_url_validator.rb @@ -4,7 +4,7 @@ # protect against Server-side Request Forgery (SSRF). class ImportableUrlValidator < ActiveModel::EachValidator def validate_each(record, attribute, value) - if Gitlab::UrlBlocker.blocked_url?(value) + if Gitlab::UrlBlocker.blocked_url?(value, valid_ports: Project::VALID_IMPORT_PORTS) record.errors.add(attribute, "imports are not allowed from that URL") end end |