diff options
| author | Douwe Maan <douwe@gitlab.com> | 2018-03-14 01:38:25 +0300 |
|---|---|---|
| committer | Mark Fletcher <mark@gitlab.com> | 2018-03-21 17:39:21 +0300 |
| commit | 95ced3bb5fa52e166aa03ee592f63180601cbde7 (patch) | |
| tree | 8e75e6ccf9a443ba004b11891b84518fd7cfe884 /lib/mattermost | |
| parent | 30c480c2b3f4709f592d8b095f8653df940f6845 (diff) | |
Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6'
Server Side Request Forgery in Services and Web Hooks
See merge request gitlab/gitlabhq!2337
Diffstat (limited to 'lib/mattermost')
| -rw-r--r-- | lib/mattermost/session.rb | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/lib/mattermost/session.rb b/lib/mattermost/session.rb index 65ccdb3c347..a514ec15c2a 100644 --- a/lib/mattermost/session.rb +++ b/lib/mattermost/session.rb @@ -22,16 +22,14 @@ module Mattermost # going. class Session include Doorkeeper::Helpers::Controller - include HTTParty LEASE_TIMEOUT = 60 - base_uri Settings.mattermost.host - - attr_accessor :current_resource_owner, :token + attr_accessor :current_resource_owner, :token, :base_uri def initialize(current_user) @current_resource_owner = current_user + @base_uri = Settings.mattermost.host end def with_session @@ -73,13 +71,13 @@ module Mattermost def get(path, options = {}) handle_exceptions do - self.class.get(path, options.merge(headers: @headers)) + Gitlab::HTTP.get(path, build_options(options)) end end def post(path, options = {}) handle_exceptions do - self.class.post(path, options.merge(headers: @headers)) + Gitlab::HTTP.post(path, build_options(options)) end end @@ -91,6 +89,14 @@ module Mattermost private + def build_options(options) + options.tap do |hash| + hash[:headers] = @headers + hash[:allow_local_requests] = true + hash[:base_uri] = base_uri if base_uri.presence + end + end + def create raise Mattermost::NoSessionError unless oauth_uri raise Mattermost::NoSessionError unless token_uri @@ -165,14 +171,14 @@ module Mattermost def handle_exceptions yield - rescue HTTParty::Error => e + rescue Gitlab::HTTP::Error => e raise Mattermost::ConnectionError.new(e.message) rescue Errno::ECONNREFUSED => e raise Mattermost::ConnectionError.new(e.message) end def parse_cookie(response) - cookie_hash = CookieHash.new + cookie_hash = Gitlab::HTTP::CookieHash.new response.get_fields('Set-Cookie').each { |c| cookie_hash.add_cookies(c) } cookie_hash end |