1 files changed, 96 insertions, 3 deletions
diff --git a/spec/lib/gitlab/url_blocker_spec.rb b/spec/lib/gitlab/url_blocker_spec.rb
index 05f7af7606d..912093be29f 100644
--- a/spec/lib/gitlab/url_blocker_spec.rb
+++ b/spec/lib/gitlab/url_blocker_spec.rb
@@ -8,7 +8,9 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
   let(:schemes) { %w[http https] }
 
   describe '#validate!' do
-    subject { described_class.validate!(import_url, schemes: schemes) }
+    let(:options) { { schemes: schemes } }
+
+    subject { described_class.validate!(import_url, **options) }
 
     shared_examples 'validates URI and hostname' do
       it 'runs the url validations' do
@@ -19,6 +21,73 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
       end
     end
 
+    shared_context 'instance configured to deny all requests' do
+      before do
+        allow(Gitlab::CurrentSettings).to receive(:current_application_settings?).and_return(true)
+        stub_application_setting(deny_all_requests_except_allowed: true)
+      end
+    end
+
+    shared_examples 'a URI denied by `deny_all_requests_except_allowed`' do
+      context 'when instance setting is enabled' do
+        include_context 'instance configured to deny all requests'
+
+        it 'blocks the request' do
+          expect { subject }.to raise_error(described_class::BlockedUrlError)
+        end
+      end
+
+      context 'when instance setting is not enabled' do
+        it 'does not block the request' do
+          expect { subject }.not_to raise_error
+        end
+      end
+
+      context 'when passed as an argument' do
+        let(:options) { super().merge(deny_all_requests_except_allowed: arg_value) }
+
+        context 'when argument is a proc that evaluates to true' do
+          let(:arg_value) { proc { true } }
+
+          it 'blocks the request' do
+            expect { subject }.to raise_error(described_class::BlockedUrlError)
+          end
+        end
+
+        context 'when argument is a proc that evaluates to false' do
+          let(:arg_value) { proc { false } }
+
+          it 'does not block the request' do
+            expect { subject }.not_to raise_error
+          end
+        end
+
+        context 'when argument is true' do
+          let(:arg_value) { true }
+
+          it 'blocks the request' do
+            expect { subject }.to raise_error(described_class::BlockedUrlError)
+          end
+        end
+
+        context 'when argument is false' do
+          let(:arg_value) { false }
+
+          it 'does not block the request' do
+            expect { subject }.not_to raise_error
+          end
+        end
+      end
+    end
+
+    shared_examples 'a URI exempt from `deny_all_requests_except_allowed`' do
+      include_context 'instance configured to deny all requests'
+
+      it 'does not block the request' do
+        expect { subject }.not_to raise_error
+      end
+    end
+
     context 'when URI is nil' do
       let(:import_url) { nil }
 
@@ -26,6 +95,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
         let(:expected_uri) { nil }
         let(:expected_hostname) { nil }
       end
+
+      it_behaves_like 'a URI exempt from `deny_all_requests_except_allowed`'
     end
 
     context 'when URI is internal' do
@@ -39,6 +110,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
         let(:expected_uri) { 'http://127.0.0.1' }
         let(:expected_hostname) { 'localhost' }
       end
+
+      it_behaves_like 'a URI exempt from `deny_all_requests_except_allowed`'
     end
 
     context 'when URI is for a local object storage' do
@@ -61,7 +134,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
       end
 
       context 'when allow_object_storage is true' do
-        subject { described_class.validate!(import_url, allow_object_storage: true, schemes: schemes) }
+        let(:options) { { allow_object_storage: true, schemes: schemes } }
 
         context 'with a local domain name' do
           let(:host) { 'http://review-minio-svc.svc:9000' }
@@ -74,6 +147,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
             let(:expected_uri) { 'http://127.0.0.1:9000/external-diffs/merge_request_diffs/mr-1/diff-1' }
             let(:expected_hostname) { 'review-minio-svc.svc' }
           end
+
+          it_behaves_like 'a URI exempt from `deny_all_requests_except_allowed`'
         end
 
         context 'with an IP address' do
@@ -83,6 +158,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
             let(:expected_uri) { 'http://127.0.0.1:9000/external-diffs/merge_request_diffs/mr-1/diff-1' }
             let(:expected_hostname) { nil }
           end
+
+          it_behaves_like 'a URI exempt from `deny_all_requests_except_allowed`'
         end
 
         context 'when LFS object storage is enabled' do
@@ -164,6 +241,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
           let(:expected_uri) { 'https://93.184.216.34' }
           let(:expected_hostname) { 'example.org' }
         end
+
+        it_behaves_like 'a URI denied by `deny_all_requests_except_allowed`'
       end
 
       context 'when domain cannot be resolved' do
@@ -193,6 +272,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
         let(:expected_hostname) { nil }
       end
 
+      it_behaves_like 'a URI denied by `deny_all_requests_except_allowed`'
+
       context 'when the address is invalid' do
         let(:import_url) { 'http://1.1.1.1.1' }
 
@@ -217,10 +298,12 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
         let(:expected_uri) { 'http://192.168.0.120:9121/scrape?target=unix:///var/opt/gitlab/redis/redis.socket&amp;check-keys=*' }
         let(:expected_hostname) { 'a.192.168.0.120.3times.127.0.0.1.1time.repeat.rebind.network' }
       end
+
+      it_behaves_like 'a URI exempt from `deny_all_requests_except_allowed`'
     end
 
     context 'disabled DNS rebinding protection' do
-      subject { described_class.validate!(import_url, dns_rebind_protection: false, schemes: schemes) }
+      let(:options) { { dns_rebind_protection: false, schemes: schemes } }
 
       context 'when URI is internal' do
         let(:import_url) { 'http://localhost' }
@@ -229,6 +312,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
           let(:expected_uri) { import_url }
           let(:expected_hostname) { nil }
         end
+
+        it_behaves_like 'a URI exempt from `deny_all_requests_except_allowed`'
       end
 
       context 'when the URL hostname is a domain' do
@@ -243,6 +328,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
             let(:expected_uri) { import_url }
             let(:expected_hostname) { nil }
           end
+
+          it_behaves_like 'a URI denied by `deny_all_requests_except_allowed`'
         end
 
         context 'when domain cannot be resolved' do
@@ -252,6 +339,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
             let(:expected_uri) { import_url }
             let(:expected_hostname) { nil }
           end
+
+          it_behaves_like 'a URI denied by `deny_all_requests_except_allowed`'
         end
       end
 
@@ -263,6 +352,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
           let(:expected_hostname) { nil }
         end
 
+        it_behaves_like 'a URI denied by `deny_all_requests_except_allowed`'
+
         context 'when it is invalid' do
           let(:import_url) { 'http://1.1.1.1.1' }
 
@@ -270,6 +361,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
             let(:expected_uri) { import_url }
             let(:expected_hostname) { nil }
           end
+
+          it_behaves_like 'a URI denied by `deny_all_requests_except_allowed`'
         end
       end
     end