Merge branch 'security-fix-ssrf-import-url-remote-mirror' into 'master'

[master] SSRF - Scan Internal Ports and GCP/AWS endpoints See merge request gitlab/gitlabhq!2689
author: John Jarvis <jarv@gitlab.com> 2019-01-01 23:38:37 +0300
committer: John Jarvis <jarv@gitlab.com> 2019-01-01 23:38:37 +0300
commit: e4dabec82a8f375389b9bb52b8fe6b1ac304d74e (patch)
tree: aaa221a679fd83fd7f41478e50a23ded4bc08fd4 /spec/models/remote_mirror_spec.rb
parent: 8f461ef779187018ddac59dbaccafe01c493e463 (diff)
parent: 63c48f73803cf1c68d6c9af408f877ea61781118 (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/spec/models/remote_mirror_spec.rb b/spec/models/remote_mirror_spec.rb
index 5d3c25062d5..224bc9ed935 100644
--- a/spec/models/remote_mirror_spec.rb
+++ b/spec/models/remote_mirror_spec.rb
@@ -24,6 +24,20 @@ describe RemoteMirror, :mailer do
         expect(remote_mirror).to be_invalid
         expect(remote_mirror.errors[:url].first).to include('Username needs to start with an alphanumeric character')
       end
+
+      it 'does not allow url pointing to localhost' do
+        remote_mirror = build(:remote_mirror, url: 'http://127.0.0.2/t.git')
+
+        expect(remote_mirror).to be_invalid
+        expect(remote_mirror.errors[:url].first).to include('Requests to loopback addresses are not allowed')
+      end
+
+      it 'does not allow url pointing to the local network' do
+        remote_mirror = build(:remote_mirror, url: 'https://192.168.1.1')
+
+        expect(remote_mirror).to be_invalid
+        expect(remote_mirror.errors[:url].first).to include('Requests to the local network are not allowed')
+      end
     end
   end
author	John Jarvis <jarv@gitlab.com>	2019-01-01 23:38:37 +0300
committer	John Jarvis <jarv@gitlab.com>	2019-01-01 23:38:37 +0300
commit	e4dabec82a8f375389b9bb52b8fe6b1ac304d74e (patch)
tree	aaa221a679fd83fd7f41478e50a23ded4bc08fd4 /spec/models/remote_mirror_spec.rb
parent	8f461ef779187018ddac59dbaccafe01c493e463 (diff)
parent	63c48f73803cf1c68d6c9af408f877ea61781118 (diff)