Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'

Server Side Request Forgery in Services and Web Hooks See merge request gitlab/gitlabhq!2337
author: Douwe Maan <douwe@gitlab.com> 2018-03-14 01:38:25 +0300
committer: James Lopez <james@jameslopez.es> 2018-03-16 18:15:05 +0300
commit: 2d6c50bf02f975f1d28d35580c4ab10276787093 (patch)
tree: d37d985e7684ddeee04ab545eb77d0f3132e2592 /app/validators
parent: 9a7fd873f81d1f1755a3cb4bcaa54b7fb49b6b8d (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/app/validators/importable_url_validator.rb b/app/validators/importable_url_validator.rb
index 37a314adee6..3ec1594e202 100644
--- a/app/validators/importable_url_validator.rb
+++ b/app/validators/importable_url_validator.rb
@@ -4,7 +4,7 @@
 # protect against Server-side Request Forgery (SSRF).
 class ImportableUrlValidator < ActiveModel::EachValidator
   def validate_each(record, attribute, value)
-    if Gitlab::UrlBlocker.blocked_url?(value)
+    if Gitlab::UrlBlocker.blocked_url?(value, valid_ports: Project::VALID_IMPORT_PORTS)
       record.errors.add(attribute, "imports are not allowed from that URL")
     end
   end
author	Douwe Maan <douwe@gitlab.com>	2018-03-14 01:38:25 +0300
committer	James Lopez <james@jameslopez.es>	2018-03-16 18:15:05 +0300
commit	2d6c50bf02f975f1d28d35580c4ab10276787093 (patch)
tree	d37d985e7684ddeee04ab545eb77d0f3132e2592 /app/validators
parent	9a7fd873f81d1f1755a3cb4bcaa54b7fb49b6b8d (diff)