Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-03-18 03:07:43 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-03-18 03:07:43 +0300
commit: 8a55899cab04afa065fc681b42da746c93de7bfe (patch)
tree: 2b99a3340edf639216b46904a34867e7226d9c6a /lib/gitlab/url_blocker.rb
parent: 93003eb1155fdc2ce078fa03c74d7f15e83a80de (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb
index 60c002853b1..fe8c2227659 100644
--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -153,6 +153,7 @@ module Gitlab
           validate_local_network(address_info)
           validate_link_local(address_info)
           validate_shared_address(address_info)
+          validate_limited_broadcast_address(address_info)
         end
       end
 
@@ -257,6 +258,17 @@ module Gitlab
         raise BlockedUrlError, "Requests to the link local network are not allowed"
       end
 
+      # Raises a BlockedUrlError if any IP in `addrs_info` is the limited
+      # broadcast address.
+      # https://datatracker.ietf.org/doc/html/rfc919#section-7
+      def validate_limited_broadcast_address(addrs_info)
+        blocked_ips = ["255.255.255.255"]
+
+        return if (blocked_ips & addrs_info.map(&:ip_address)).empty?
+
+        raise BlockedUrlError, "Requests to the limited broadcast address are not allowed"
+      end
+
       def internal?(uri)
         internal_web?(uri) || internal_shell?(uri)
       end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-03-18 03:07:43 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-03-18 03:07:43 +0300
commit	8a55899cab04afa065fc681b42da746c93de7bfe (patch)
tree	2b99a3340edf639216b46904a34867e7226d9c6a /lib/gitlab/url_blocker.rb
parent	93003eb1155fdc2ce078fa03c74d7f15e83a80de (diff)