diff options
author | Stan Hu <stanhu@gmail.com> | 2018-09-29 04:51:02 +0300 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2018-10-03 06:04:37 +0300 |
commit | 215feb642de94485d7644a532b6a9982d964d539 (patch) | |
tree | c7d4834cfade13daf8ef1d1e05c12398aef482d2 /spec/models/project_services/hipchat_service_spec.rb | |
parent | bf37ff071fca1b61681e42522ffb6a6dcf5c0e8d (diff) |
Prevent SSRF attacks in HipChat integration
This change monkey patches the HipChat client to use the GitLab HTTParty
connection adapter, which can block access to certain hosts.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51142
Diffstat (limited to 'spec/models/project_services/hipchat_service_spec.rb')
-rw-r--r-- | spec/models/project_services/hipchat_service_spec.rb | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/spec/models/project_services/hipchat_service_spec.rb b/spec/models/project_services/hipchat_service_spec.rb index 0cd712e2f40..b0fd2ceead0 100644 --- a/spec/models/project_services/hipchat_service_spec.rb +++ b/spec/models/project_services/hipchat_service_spec.rb @@ -387,4 +387,22 @@ describe HipchatService do end end end + + context 'with UrlBlocker' do + let(:user) { create(:user) } + let(:project) { create(:project, :repository) } + let(:hipchat) { described_class.new(project: project) } + let(:push_sample_data) { Gitlab::DataBuilder::Push.build_sample(project, user) } + + describe '#execute' do + before do + hipchat.server = 'http://localhost:9123' + end + + it 'raises UrlBlocker for localhost' do + expect(Gitlab::UrlBlocker).to receive(:validate!).and_call_original + expect { hipchat.execute(push_sample_data) }.to raise_error(Gitlab::HTTP::BlockedUrlError) + end + end + end end |