Add latest changes from gitlab-org/security/gitlab@14-7-stable-ee

3 files changed, 35 insertions, 8 deletions

diff --git a/spec/models/integrations/irker_spec.rb b/spec/models/integrations/irker_spec.rb
index 8b207e8b43e..8aea2c26dc5 100644
--- a/spec/models/integrations/irker_spec.rb
+++ b/spec/models/integrations/irker_spec.rb
@@ -2,6 +2,7 @@
 
 require 'spec_helper'
 require 'socket'
+require 'timeout'
 require 'json'
 
 RSpec.describe Integrations::Irker do
@@ -37,6 +38,7 @@ RSpec.describe Integrations::Irker do
     before do
       @irker_server = TCPServer.new 'localhost', 0
 
+      allow(Gitlab::CurrentSettings).to receive(:allow_local_requests_from_web_hooks_and_services?).and_return(true)
       allow(irker).to receive_messages(
         active: true,
         project: project,
@@ -58,13 +60,17 @@ RSpec.describe Integrations::Irker do
       irker.execute(sample_data)
 
       conn = @irker_server.accept
-      conn.each_line do |line|
-        msg = Gitlab::Json.parse(line.chomp("\n"))
-        expect(msg.keys).to match_array(%w(to privmsg))
-        expect(msg['to']).to match_array(["irc://chat.freenode.net/#commits",
-                                          "irc://test.net/#test"])
+
+      Timeout.timeout(5) do
+        conn.each_line do |line|
+          msg = Gitlab::Json.parse(line.chomp("\n"))
+          expect(msg.keys).to match_array(%w(to privmsg))
+          expect(msg['to']).to match_array(["irc://chat.freenode.net/#commits",
+                                            "irc://test.net/#test"])
+        end
       end
-      conn.close
+    ensure
+      conn.close if conn
     end
   end
 end
diff --git a/spec/support/helpers/dns_helpers.rb b/spec/support/helpers/dns_helpers.rb
index ba32ccbb6f1..b941e7c4808 100644
--- a/spec/support/helpers/dns_helpers.rb
+++ b/spec/support/helpers/dns_helpers.rb
@@ -23,7 +23,15 @@ module DnsHelpers
   end
 
   def permit_local_dns!
-    local_addresses = /\A(127|10)\.0\.0\.\d{1,3}|(192\.168|172\.16)\.\d{1,3}\.\d{1,3}|0\.0\.0\.0|localhost\z/i
+    local_addresses = %r{
+      \A
+      ::1? |                                    # IPV6
+      (127|10)\.0\.0\.\d{1,3} |                 # 127.0.0.x or 10.0.0.x local network
+      (192\.168|172\.16)\.\d{1,3}\.\d{1,3} |    # 192.168.x.x or 172.16.x.x local network
+      0\.0\.0\.0 |                              # loopback
+      localhost
+      \z
+    }xi
     allow(Addrinfo).to receive(:getaddrinfo).with(local_addresses, anything, nil, :STREAM).and_call_original
     allow(Addrinfo).to receive(:getaddrinfo).with(local_addresses, anything, nil, :STREAM, anything, anything, any_args).and_call_original
   end
diff --git a/spec/workers/irker_worker_spec.rb b/spec/workers/irker_worker_spec.rb
index aa1f1d2fe1d..c3d40ad2783 100644
--- a/spec/workers/irker_worker_spec.rb
+++ b/spec/workers/irker_worker_spec.rb
@@ -21,7 +21,7 @@ RSpec.describe IrkerWorker, '#perform' do
       channels,
       false,
       push_data,
-      server_settings
+      HashWithIndifferentAccess.new(server_settings)
     ]
   end
 
@@ -35,6 +35,14 @@ RSpec.describe IrkerWorker, '#perform' do
     allow(tcp_socket).to receive(:close).and_return(true)
   end
 
+  context 'local requests are not allowed' do
+    before do
+      allow(Gitlab::CurrentSettings).to receive(:allow_local_requests_from_web_hooks_and_services?).and_return(false)
+    end
+
+    it { expect(worker.perform(*arguments)).to be_falsey }
+  end
+
   context 'connection fails' do
     before do
       allow(TCPSocket).to receive(:new).and_raise(Errno::ECONNREFUSED.new('test'))
@@ -44,6 +52,11 @@ RSpec.describe IrkerWorker, '#perform' do
   end
 
   context 'connection successful' do
+    before do
+      allow(Gitlab::CurrentSettings)
+        .to receive(:allow_local_requests_from_web_hooks_and_services?).and_return(true)
+    end
+
     it { expect(subject.perform(*arguments)).to be_truthy }
 
     context 'new branch' do