diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 21:36:50 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 21:36:50 +0300 |
commit | 03340f0987ac61ef4c884d4730e2fd3cbff113c5 (patch) | |
tree | 6c2fd54002575eaeb700b6979e1214408f77ea64 /lib | |
parent | 6412a3e007eef5fa9ee0cdfd288200d4cc2ee06b (diff) | |
parent | af16fd687e2e5b15a63e6e51d76847512ae8ee72 (diff) |
Merge branch 'security-kubernetes-local-ssrf' into 'master'
Block local URLs for Kubernetes integration
See merge request gitlab/gitlabhq!2901
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/kubernetes/kube_client.rb | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/gitlab/kubernetes/kube_client.rb b/lib/gitlab/kubernetes/kube_client.rb index 624c2c67551..de14df56555 100644 --- a/lib/gitlab/kubernetes/kube_client.rb +++ b/lib/gitlab/kubernetes/kube_client.rb @@ -82,6 +82,8 @@ module Gitlab def initialize(api_prefix, **kubeclient_options) @api_prefix = api_prefix @kubeclient_options = kubeclient_options.merge(http_max_redirects: 0) + + validate_url! end def create_or_update_cluster_role_binding(resource) @@ -118,6 +120,12 @@ module Gitlab private + def validate_url! + return if Gitlab::CurrentSettings.allow_local_requests_from_hooks_and_services? + + Gitlab::UrlBlocker.validate!(api_prefix, allow_local_network: false) + end + def cluster_role_binding_exists?(resource) get_cluster_role_binding(resource.metadata.name) rescue ::Kubeclient::ResourceNotFoundError |