Merge branch 'security-kubernetes-local-ssrf' into 'master'

Block local URLs for Kubernetes integration See merge request gitlab/gitlabhq!2901
author: Yorick Peterse <yorickpeterse@gmail.com> 2019-03-04 21:36:50 +0300
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-03-04 21:36:50 +0300
commit: 03340f0987ac61ef4c884d4730e2fd3cbff113c5 (patch)
tree: 6c2fd54002575eaeb700b6979e1214408f77ea64 /spec/models/clusters
parent: 6412a3e007eef5fa9ee0cdfd288200d4cc2ee06b (diff)
parent: af16fd687e2e5b15a63e6e51d76847512ae8ee72 (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/spec/models/clusters/platforms/kubernetes_spec.rb b/spec/models/clusters/platforms/kubernetes_spec.rb
index 4068d98d8f7..3b32ca8df05 100644
--- a/spec/models/clusters/platforms/kubernetes_spec.rb
+++ b/spec/models/clusters/platforms/kubernetes_spec.rb
@@ -98,6 +98,22 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
 
         it { expect(kubernetes.save).to be_truthy }
       end
+
+      context 'when api_url is localhost' do
+        let(:api_url) { 'http://localhost:22' }
+
+        it { expect(kubernetes.save).to be_falsey }
+
+        context 'Application settings allows local requests' do
+          before do
+            allow(ApplicationSetting)
+              .to receive(:current)
+              .and_return(ApplicationSetting.build_from_defaults(allow_local_requests_from_hooks_and_services: true))
+          end
+
+          it { expect(kubernetes.save).to be_truthy }
+        end
+      end
     end
 
     context 'when validates token' do
author	Yorick Peterse <yorickpeterse@gmail.com>	2019-03-04 21:36:50 +0300
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-03-04 21:36:50 +0300
commit	03340f0987ac61ef4c884d4730e2fd3cbff113c5 (patch)
tree	6c2fd54002575eaeb700b6979e1214408f77ea64 /spec/models/clusters
parent	6412a3e007eef5fa9ee0cdfd288200d4cc2ee06b (diff)
parent	af16fd687e2e5b15a63e6e51d76847512ae8ee72 (diff)