Merge branch 'security-kubernetes-local-ssrf' into 'master'

Block local URLs for Kubernetes integration See merge request gitlab/gitlabhq!2901
author: Yorick Peterse <yorickpeterse@gmail.com> 2019-03-04 21:36:50 +0300
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-03-04 21:36:50 +0300
commit: 03340f0987ac61ef4c884d4730e2fd3cbff113c5 (patch)
tree: 6c2fd54002575eaeb700b6979e1214408f77ea64 /lib
parent: 6412a3e007eef5fa9ee0cdfd288200d4cc2ee06b (diff)
parent: af16fd687e2e5b15a63e6e51d76847512ae8ee72 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/gitlab/kubernetes/kube_client.rb b/lib/gitlab/kubernetes/kube_client.rb
index 624c2c67551..de14df56555 100644
--- a/lib/gitlab/kubernetes/kube_client.rb
+++ b/lib/gitlab/kubernetes/kube_client.rb
@@ -82,6 +82,8 @@ module Gitlab
       def initialize(api_prefix, **kubeclient_options)
         @api_prefix = api_prefix
         @kubeclient_options = kubeclient_options.merge(http_max_redirects: 0)
+
+        validate_url!
       end
 
       def create_or_update_cluster_role_binding(resource)
@@ -118,6 +120,12 @@ module Gitlab
 
       private
 
+      def validate_url!
+        return if Gitlab::CurrentSettings.allow_local_requests_from_hooks_and_services?
+
+        Gitlab::UrlBlocker.validate!(api_prefix, allow_local_network: false)
+      end
+
       def cluster_role_binding_exists?(resource)
         get_cluster_role_binding(resource.metadata.name)
       rescue ::Kubeclient::ResourceNotFoundError
author	Yorick Peterse <yorickpeterse@gmail.com>	2019-03-04 21:36:50 +0300
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-03-04 21:36:50 +0300
commit	03340f0987ac61ef4c884d4730e2fd3cbff113c5 (patch)
tree	6c2fd54002575eaeb700b6979e1214408f77ea64 /lib
parent	6412a3e007eef5fa9ee0cdfd288200d4cc2ee06b (diff)
parent	af16fd687e2e5b15a63e6e51d76847512ae8ee72 (diff)