diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 17:19:48 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 17:19:48 +0300 |
commit | 791325145d7ff9640e2ce652d135086906fa2bce (patch) | |
tree | b9e2096d52c97f5e1a3a0891dd4407fbc0177461 /spec | |
parent | a738d03187624132ec1041e41cfda09401a5ffa4 (diff) | |
parent | e5181ff4facbf61bcb284e0d3a8d1fd2e8119b06 (diff) |
Merge branch 'security-kubernetes-local-ssrf-11-8' into '11-8-stable'
Block local URLs for Kubernetes integration
See merge request gitlab/gitlabhq!2959
Diffstat (limited to 'spec')
-rw-r--r-- | spec/lib/gitlab/kubernetes/kube_client_spec.rb | 30 | ||||
-rw-r--r-- | spec/models/clusters/platforms/kubernetes_spec.rb | 16 |
2 files changed, 46 insertions, 0 deletions
diff --git a/spec/lib/gitlab/kubernetes/kube_client_spec.rb b/spec/lib/gitlab/kubernetes/kube_client_spec.rb index 02364e92149..978e64c4407 100644 --- a/spec/lib/gitlab/kubernetes/kube_client_spec.rb +++ b/spec/lib/gitlab/kubernetes/kube_client_spec.rb @@ -50,6 +50,36 @@ describe Gitlab::Kubernetes::KubeClient do end end + describe '#initialize' do + shared_examples 'local address' do + it 'blocks local addresses' do + expect { client }.to raise_error(Gitlab::UrlBlocker::BlockedUrlError) + end + + context 'when local requests are allowed' do + before do + stub_application_setting(allow_local_requests_from_hooks_and_services: true) + end + + it 'allows local addresses' do + expect { client }.not_to raise_error + end + end + end + + context 'localhost address' do + let(:api_url) { 'http://localhost:22' } + + it_behaves_like 'local address' + end + + context 'private network address' do + let(:api_url) { 'http://192.168.1.2:3003' } + + it_behaves_like 'local address' + end + end + describe '#core_client' do subject { client.core_client } diff --git a/spec/models/clusters/platforms/kubernetes_spec.rb b/spec/models/clusters/platforms/kubernetes_spec.rb index c273fa7e164..8dfc9297d0a 100644 --- a/spec/models/clusters/platforms/kubernetes_spec.rb +++ b/spec/models/clusters/platforms/kubernetes_spec.rb @@ -98,6 +98,22 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching it { expect(kubernetes.save).to be_truthy } end + + context 'when api_url is localhost' do + let(:api_url) { 'http://localhost:22' } + + it { expect(kubernetes.save).to be_falsey } + + context 'Application settings allows local requests' do + before do + allow(ApplicationSetting) + .to receive(:current) + .and_return(ApplicationSetting.build_from_defaults(allow_local_requests_from_hooks_and_services: true)) + end + + it { expect(kubernetes.save).to be_truthy } + end + end end context 'when validates token' do |