Prevent SSRF attacks in HipChat integration

This change monkey patches the HipChat client to use the GitLab HTTParty connection adapter, which can block access to certain hosts. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51142
author: Stan Hu <stanhu@gmail.com> 2018-09-29 04:51:02 +0300
committer: Stan Hu <stanhu@gmail.com> 2018-10-03 06:04:37 +0300
commit: 215feb642de94485d7644a532b6a9982d964d539 (patch)
tree: c7d4834cfade13daf8ef1d1e05c12398aef482d2 /spec/models/project_services/hipchat_service_spec.rb
parent: bf37ff071fca1b61681e42522ffb6a6dcf5c0e8d (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/spec/models/project_services/hipchat_service_spec.rb b/spec/models/project_services/hipchat_service_spec.rb
index 0cd712e2f40..b0fd2ceead0 100644
--- a/spec/models/project_services/hipchat_service_spec.rb
+++ b/spec/models/project_services/hipchat_service_spec.rb
@@ -387,4 +387,22 @@ describe HipchatService do
       end
     end
   end
+
+  context 'with UrlBlocker' do
+    let(:user)    { create(:user) }
+    let(:project) { create(:project, :repository) }
+    let(:hipchat) { described_class.new(project: project) }
+    let(:push_sample_data) { Gitlab::DataBuilder::Push.build_sample(project, user) }
+
+    describe '#execute' do
+      before do
+        hipchat.server = 'http://localhost:9123'
+      end
+
+      it 'raises UrlBlocker for localhost' do
+        expect(Gitlab::UrlBlocker).to receive(:validate!).and_call_original
+        expect { hipchat.execute(push_sample_data) }.to raise_error(Gitlab::HTTP::BlockedUrlError)
+      end
+    end
+  end
 end
author	Stan Hu <stanhu@gmail.com>	2018-09-29 04:51:02 +0300
committer	Stan Hu <stanhu@gmail.com>	2018-10-03 06:04:37 +0300
commit	215feb642de94485d7644a532b6a9982d964d539 (patch)
tree	c7d4834cfade13daf8ef1d1e05c12398aef482d2 /spec/models/project_services/hipchat_service_spec.rb
parent	bf37ff071fca1b61681e42522ffb6a6dcf5c0e8d (diff)