Fix Server Side Request Forgery mitigation bypass

When we can't resolve the hostname or it is invalid, we shouldn't even perform the request. This fix also fixes the problem the SSRF rebinding attack. We can't stub feature flags outside example blocks. Nevertheless, there are some actions that calls the UrlBlocker, that are performed outside example blocks, ie: `set` instruction. That's why we have to use some signalign mechanism outside the scope of the specs.
author: Francisco Javier López <fjlopez@gitlab.com> 2019-07-02 19:38:23 +0300
committer: Francisco Javier López <fjlopez@gitlab.com> 2019-07-04 17:28:19 +0300
commit: c5177d9aae2b0c8c1d1780a01aa01862069bdaf1 (patch)
tree: 053fca60fa5039c76ebfe4f8a615e5ce0612318a /changelogs
parent: 08a51a9db938bb05f9a4c999075d010079e16bad (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-dns-ssrf-bypass.yml b/changelogs/unreleased/security-dns-ssrf-bypass.yml
new file mode 100644
index 00000000000..e48696ce5bd
--- /dev/null
+++ b/changelogs/unreleased/security-dns-ssrf-bypass.yml
@@ -0,0 +1,5 @@
+---
+title: Fix Server Side Request Forgery mitigation bypass
+merge_request:
+author:
+type: security
author	Francisco Javier López <fjlopez@gitlab.com>	2019-07-02 19:38:23 +0300
committer	Francisco Javier López <fjlopez@gitlab.com>	2019-07-04 17:28:19 +0300
commit	c5177d9aae2b0c8c1d1780a01aa01862069bdaf1 (patch)
tree	053fca60fa5039c76ebfe4f8a615e5ce0612318a /changelogs
parent	08a51a9db938bb05f9a4c999075d010079e16bad (diff)