Protect Gitlab::HTTP against DNS rebinding attack

Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
blocked, and then uses the same IP to perform the actual request, while
passing the original hostname in the `Host` header and SSL SNI field.

1 files changed, 6 insertions, 4 deletions

diff --git a/spec/services/web_hook_service_spec.rb b/spec/services/web_hook_service_spec.rb
index 75ba2479b63..37bafc0c002 100644
--- a/spec/services/web_hook_service_spec.rb
+++ b/spec/services/web_hook_service_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 describe WebHookService do
+  include StubRequests
+
   let(:project) { create(:project) }
   let(:project_hook) { create(:project_hook) }
   let(:headers) do
@@ -67,11 +69,11 @@ describe WebHookService do
       let(:project_hook) { create(:project_hook, url: 'https://demo:demo@example.org/') }
 
       it 'uses the credentials' do
-        WebMock.stub_request(:post, url)
+        stub_full_request(url, method: :post)
 
         service_instance.execute
 
-        expect(WebMock).to have_requested(:post, url).with(
+        expect(WebMock).to have_requested(:post, stubbed_hostname(url)).with(
           headers: headers.merge('Authorization' => 'Basic ZGVtbzpkZW1v')
         ).once
       end
@@ -82,11 +84,11 @@ describe WebHookService do
       let(:project_hook) { create(:project_hook, url: 'https://demo@example.org/') }
 
       it 'uses the credentials anyways' do
-        WebMock.stub_request(:post, url)
+        stub_full_request(url, method: :post)
 
         service_instance.execute
 
-        expect(WebMock).to have_requested(:post, url).with(
+        expect(WebMock).to have_requested(:post, stubbed_hostname(url)).with(
           headers: headers.merge('Authorization' => 'Basic ZGVtbzo=')
         ).once
       end