diff options
| author | John Jarvis <jarv@gitlab.com> | 2019-01-01 23:38:37 +0300 |
|---|---|---|
| committer | John Jarvis <jarv@gitlab.com> | 2019-01-01 23:38:37 +0300 |
| commit | e4dabec82a8f375389b9bb52b8fe6b1ac304d74e (patch) | |
| tree | aaa221a679fd83fd7f41478e50a23ded4bc08fd4 /spec | |
| parent | 8f461ef779187018ddac59dbaccafe01c493e463 (diff) | |
| parent | 63c48f73803cf1c68d6c9af408f877ea61781118 (diff) | |
Merge branch 'security-fix-ssrf-import-url-remote-mirror' into 'master'
[master] SSRF - Scan Internal Ports and GCP/AWS endpoints
See merge request gitlab/gitlabhq!2689
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/models/project_spec.rb | 7 | ||||
| -rw-r--r-- | spec/models/remote_mirror_spec.rb | 14 |
2 files changed, 21 insertions, 0 deletions
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index a01f76a5bab..4b86c6a1836 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -299,6 +299,13 @@ describe Project do expect(project.errors[:import_url].first).to include('Requests to localhost are not allowed') end + it 'does not allow import_url pointing to the local network' do + project = build(:project, import_url: 'https://192.168.1.1') + + expect(project).to be_invalid + expect(project.errors[:import_url].first).to include('Requests to the local network are not allowed') + end + it "does not allow import_url with invalid ports for new projects" do project = build(:project, import_url: 'http://github.com:25/t.git') diff --git a/spec/models/remote_mirror_spec.rb b/spec/models/remote_mirror_spec.rb index 5d3c25062d5..224bc9ed935 100644 --- a/spec/models/remote_mirror_spec.rb +++ b/spec/models/remote_mirror_spec.rb @@ -24,6 +24,20 @@ describe RemoteMirror, :mailer do expect(remote_mirror).to be_invalid expect(remote_mirror.errors[:url].first).to include('Username needs to start with an alphanumeric character') end + + it 'does not allow url pointing to localhost' do + remote_mirror = build(:remote_mirror, url: 'http://127.0.0.2/t.git') + + expect(remote_mirror).to be_invalid + expect(remote_mirror.errors[:url].first).to include('Requests to loopback addresses are not allowed') + end + + it 'does not allow url pointing to the local network' do + remote_mirror = build(:remote_mirror, url: 'https://192.168.1.1') + + expect(remote_mirror).to be_invalid + expect(remote_mirror.errors[:url].first).to include('Requests to the local network are not allowed') + end end end |