diff options
Diffstat (limited to 'spec/lib/gitlab/url_blocker_spec.rb')
-rw-r--r-- | spec/lib/gitlab/url_blocker_spec.rb | 99 |
1 files changed, 96 insertions, 3 deletions
diff --git a/spec/lib/gitlab/url_blocker_spec.rb b/spec/lib/gitlab/url_blocker_spec.rb index 05f7af7606d..912093be29f 100644 --- a/spec/lib/gitlab/url_blocker_spec.rb +++ b/spec/lib/gitlab/url_blocker_spec.rb @@ -8,7 +8,9 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do let(:schemes) { %w[http https] } describe '#validate!' do - subject { described_class.validate!(import_url, schemes: schemes) } + let(:options) { { schemes: schemes } } + + subject { described_class.validate!(import_url, **options) } shared_examples 'validates URI and hostname' do it 'runs the url validations' do @@ -19,6 +21,73 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do end end + shared_context 'instance configured to deny all requests' do + before do + allow(Gitlab::CurrentSettings).to receive(:current_application_settings?).and_return(true) + stub_application_setting(deny_all_requests_except_allowed: true) + end + end + + shared_examples 'a URI denied by `deny_all_requests_except_allowed`' do + context 'when instance setting is enabled' do + include_context 'instance configured to deny all requests' + + it 'blocks the request' do + expect { subject }.to raise_error(described_class::BlockedUrlError) + end + end + + context 'when instance setting is not enabled' do + it 'does not block the request' do + expect { subject }.not_to raise_error + end + end + + context 'when passed as an argument' do + let(:options) { super().merge(deny_all_requests_except_allowed: arg_value) } + + context 'when argument is a proc that evaluates to true' do + let(:arg_value) { proc { true } } + + it 'blocks the request' do + expect { subject }.to raise_error(described_class::BlockedUrlError) + end + end + + context 'when argument is a proc that evaluates to false' do + let(:arg_value) { proc { false } } + + it 'does not block the request' do + expect { subject }.not_to raise_error + end + end + + context 'when argument is true' do + let(:arg_value) { true } + + it 'blocks the request' do + expect { subject }.to raise_error(described_class::BlockedUrlError) + end + end + + context 'when argument is false' do + let(:arg_value) { false } + + it 'does not block the request' do + expect { subject }.not_to raise_error + end + end + end + end + + shared_examples 'a URI exempt from `deny_all_requests_except_allowed`' do + include_context 'instance configured to deny all requests' + + it 'does not block the request' do + expect { subject }.not_to raise_error + end + end + context 'when URI is nil' do let(:import_url) { nil } @@ -26,6 +95,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do let(:expected_uri) { nil } let(:expected_hostname) { nil } end + + it_behaves_like 'a URI exempt from `deny_all_requests_except_allowed`' end context 'when URI is internal' do @@ -39,6 +110,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do let(:expected_uri) { 'http://127.0.0.1' } let(:expected_hostname) { 'localhost' } end + + it_behaves_like 'a URI exempt from `deny_all_requests_except_allowed`' end context 'when URI is for a local object storage' do @@ -61,7 +134,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do end context 'when allow_object_storage is true' do - subject { described_class.validate!(import_url, allow_object_storage: true, schemes: schemes) } + let(:options) { { allow_object_storage: true, schemes: schemes } } context 'with a local domain name' do let(:host) { 'http://review-minio-svc.svc:9000' } @@ -74,6 +147,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do let(:expected_uri) { 'http://127.0.0.1:9000/external-diffs/merge_request_diffs/mr-1/diff-1' } let(:expected_hostname) { 'review-minio-svc.svc' } end + + it_behaves_like 'a URI exempt from `deny_all_requests_except_allowed`' end context 'with an IP address' do @@ -83,6 +158,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do let(:expected_uri) { 'http://127.0.0.1:9000/external-diffs/merge_request_diffs/mr-1/diff-1' } let(:expected_hostname) { nil } end + + it_behaves_like 'a URI exempt from `deny_all_requests_except_allowed`' end context 'when LFS object storage is enabled' do @@ -164,6 +241,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do let(:expected_uri) { 'https://93.184.216.34' } let(:expected_hostname) { 'example.org' } end + + it_behaves_like 'a URI denied by `deny_all_requests_except_allowed`' end context 'when domain cannot be resolved' do @@ -193,6 +272,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do let(:expected_hostname) { nil } end + it_behaves_like 'a URI denied by `deny_all_requests_except_allowed`' + context 'when the address is invalid' do let(:import_url) { 'http://1.1.1.1.1' } @@ -217,10 +298,12 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do let(:expected_uri) { 'http://192.168.0.120:9121/scrape?target=unix:///var/opt/gitlab/redis/redis.socket&check-keys=*' } let(:expected_hostname) { 'a.192.168.0.120.3times.127.0.0.1.1time.repeat.rebind.network' } end + + it_behaves_like 'a URI exempt from `deny_all_requests_except_allowed`' end context 'disabled DNS rebinding protection' do - subject { described_class.validate!(import_url, dns_rebind_protection: false, schemes: schemes) } + let(:options) { { dns_rebind_protection: false, schemes: schemes } } context 'when URI is internal' do let(:import_url) { 'http://localhost' } @@ -229,6 +312,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do let(:expected_uri) { import_url } let(:expected_hostname) { nil } end + + it_behaves_like 'a URI exempt from `deny_all_requests_except_allowed`' end context 'when the URL hostname is a domain' do @@ -243,6 +328,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do let(:expected_uri) { import_url } let(:expected_hostname) { nil } end + + it_behaves_like 'a URI denied by `deny_all_requests_except_allowed`' end context 'when domain cannot be resolved' do @@ -252,6 +339,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do let(:expected_uri) { import_url } let(:expected_hostname) { nil } end + + it_behaves_like 'a URI denied by `deny_all_requests_except_allowed`' end end @@ -263,6 +352,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do let(:expected_hostname) { nil } end + it_behaves_like 'a URI denied by `deny_all_requests_except_allowed`' + context 'when it is invalid' do let(:import_url) { 'http://1.1.1.1.1' } @@ -270,6 +361,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do let(:expected_uri) { import_url } let(:expected_hostname) { nil } end + + it_behaves_like 'a URI denied by `deny_all_requests_except_allowed`' end end end |