Age | Commit message (Collapse) | Author |
|
|
|
|
|
Now, when the dns rebinging setting is disabled, we will
allow urls that are not resolvable.
|
|
|
|
|
|
Signed-off-by: Istvan szalai <istvan.szalai@savoirfairelinux.com>
|
|
When we can't resolve the hostname or it is invalid, we shouldn't
even perform the request. This fix also fixes the problem the
SSRF rebinding attack.
We can't stub feature flags outside example blocks. Nevertheless,
there are some actions that calls the UrlBlocker, that are performed
outside example blocks, ie: `set` instruction.
That's why we have to use some signalign mechanism outside the scope
of the specs.
|
|
https://github.com/rubocop-hq/ruby-style-guide#dangerous-method-bang
|
|
|
|
Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
blocked, and then uses the same IP to perform the actual request, while
passing the original hostname in the `Host` header and SSL SNI field.
|
|
Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.
|
|
|
|
Restricts unicode characters and IDNA deviations
which could be used in a phishing attack
|
|
[11.5] Fix SSRF in project integrations
See merge request gitlab/gitlabhq!2611
|
|
[master] Fix CRLF issue in UrlValidator
See merge request gitlab/gitlabhq!2627
|
|
[master] Stored XSS for Environments
Closes #2727
See merge request gitlab/gitlabhq!2594
|
|
Block additional localhost addresses in UrlBlocker
See merge request gitlab/gitlabhq!2487
|
|
|
|
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51128
|
|
Closes https://gitlab.com/gitlab-com/migration/issues/766
|
|
|
|
because of SSRF
|
|
|
|
|
|
|
|
Server Side Request Forgery in Services and Web Hooks
See merge request gitlab/gitlabhq!2337
|
|
Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
See merge request gitlab/gitlabhq!2219
(cherry picked from commit 4a1e73783d5480aa514db7b53e10c075f95580b5)
1bffa0c3 Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions
|
|
Ensure user and hostnames begin with an alnum character in UrlBlocker
See merge request !2138
|
|
nil check for url_blocker?
See merge request !2076
|
|
Protect server against SSRF in project import URLs
See merge request !2068
|