BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
2e3bc6a9
Unverified
Commit
2e3bc6a9
authored
Mar 28, 2018
by
Douwe Maan
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Raise more descriptive errors when URLs are blocked
parent
6b5ec93a
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
52 additions
and
26 deletions
+52
-26
import_service.rb
app/services/projects/import_service.rb
+5
-1
importable_url_validator.rb
app/validators/importable_url_validator.rb
+4
-2
http.rb
lib/gitlab/http.rb
+2
-0
proxy_http_connection_adapter.rb
lib/gitlab/proxy_http_connection_adapter.rb
+6
-6
url_blocker.rb
lib/gitlab/url_blocker.rb
+32
-14
http_spec.rb
spec/lib/gitlab/http_spec.rb
+3
-3
No files found.
app/services/projects/import_service.rb
View file @
2e3bc6a9
...
@@ -28,7 +28,11 @@ module Projects
...
@@ -28,7 +28,11 @@ module Projects
def
add_repository_to_project
def
add_repository_to_project
if
project
.
external_import?
&&
!
unknown_url?
if
project
.
external_import?
&&
!
unknown_url?
raise
Error
,
'Blocked import URL.'
if
Gitlab
::
UrlBlocker
.
blocked_url?
(
project
.
import_url
,
valid_ports:
Project
::
VALID_IMPORT_PORTS
)
begin
Gitlab
::
UrlBlocker
.
validate!
(
project
.
import_url
,
valid_ports:
Project
::
VALID_IMPORT_PORTS
)
rescue
Gitlab
::
UrlBlocker
::
BlockedUrlError
=>
e
raise
Error
,
"Blocked import URL:
#{
e
.
message
}
"
end
end
end
# We should skip the repository for a GitHub import or GitLab project import,
# We should skip the repository for a GitHub import or GitLab project import,
...
...
app/validators/importable_url_validator.rb
View file @
2e3bc6a9
...
@@ -4,8 +4,10 @@
...
@@ -4,8 +4,10 @@
# protect against Server-side Request Forgery (SSRF).
# protect against Server-side Request Forgery (SSRF).
class
ImportableUrlValidator
<
ActiveModel
::
EachValidator
class
ImportableUrlValidator
<
ActiveModel
::
EachValidator
def
validate_each
(
record
,
attribute
,
value
)
def
validate_each
(
record
,
attribute
,
value
)
if
Gitlab
::
UrlBlocker
.
blocked_url?
(
value
,
valid_ports:
Project
::
VALID_IMPORT_PORTS
)
begin
record
.
errors
.
add
(
attribute
,
"imports are not allowed from that URL"
)
Gitlab
::
UrlBlocker
.
validate!
(
value
,
valid_ports:
Project
::
VALID_IMPORT_PORTS
)
rescue
Gitlab
::
UrlBlocker
::
BlockedUrlError
=>
e
record
.
errors
.
add
(
attribute
,
"is blocked:
#{
e
.
message
}
"
)
end
end
end
end
end
end
lib/gitlab/http.rb
View file @
2e3bc6a9
...
@@ -4,6 +4,8 @@
...
@@ -4,6 +4,8 @@
# calling internal IP or services.
# calling internal IP or services.
module
Gitlab
module
Gitlab
class
HTTP
class
HTTP
BlockedUrlError
=
Class
.
new
(
StandardError
)
include
HTTParty
# rubocop:disable Gitlab/HTTParty
include
HTTParty
# rubocop:disable Gitlab/HTTParty
connection_adapter
ProxyHTTPConnectionAdapter
connection_adapter
ProxyHTTPConnectionAdapter
...
...
lib/gitlab/proxy_http_connection_adapter.rb
View file @
2e3bc6a9
...
@@ -10,8 +10,12 @@
...
@@ -10,8 +10,12 @@
module
Gitlab
module
Gitlab
class
ProxyHTTPConnectionAdapter
<
HTTParty
::
ConnectionAdapter
class
ProxyHTTPConnectionAdapter
<
HTTParty
::
ConnectionAdapter
def
connection
def
connection
if
!
allow_local_requests?
&&
blocked_url?
unless
allow_local_requests?
raise
URI
::
InvalidURIError
begin
Gitlab
::
UrlBlocker
.
validate!
(
uri
,
allow_private_networks:
false
)
rescue
Gitlab
::
UrlBlocker
::
BlockedUrlError
=>
e
raise
Gitlab
::
HTTP
::
BlockedUrlError
,
"URL '
#{
uri
}
' is blocked:
#{
e
.
message
}
"
end
end
end
super
super
...
@@ -19,10 +23,6 @@ module Gitlab
...
@@ -19,10 +23,6 @@ module Gitlab
private
private
def
blocked_url?
Gitlab
::
UrlBlocker
.
blocked_url?
(
uri
,
allow_private_networks:
false
)
end
def
allow_local_requests?
def
allow_local_requests?
options
.
fetch
(
:allow_local_requests
,
allow_settings_local_requests?
)
options
.
fetch
(
:allow_local_requests
,
allow_settings_local_requests?
)
end
end
...
...
lib/gitlab/url_blocker.rb
View file @
2e3bc6a9
...
@@ -2,34 +2,45 @@ require 'resolv'
...
@@ -2,34 +2,45 @@ require 'resolv'
module
Gitlab
module
Gitlab
class
UrlBlocker
class
UrlBlocker
class
<<
self
BlockedUrlError
=
Class
.
new
(
StandardError
)
def
blocked_url?
(
url
,
allow_private_networks:
true
,
valid_ports:
[])
return
false
if
url
.
nil?
blocked_ips
=
[
"127.0.0.1"
,
"::1"
,
"0.0.0.0"
]
class
<<
self
blocked_ips
.
concat
(
Socket
.
ip_address_list
.
map
(
&
:ip_address
))
def
validate!
(
url
,
allow_localhost:
false
,
allow_private_networks:
true
,
valid_ports:
[])
return
true
if
url
.
nil?
begin
begin
uri
=
Addressable
::
URI
.
parse
(
url
)
uri
=
Addressable
::
URI
.
parse
(
url
)
# Allow imports from the GitLab instance itself but only from the configured ports
# Allow imports from the GitLab instance itself but only from the configured ports
return
fals
e
if
internal?
(
uri
)
return
tru
e
if
internal?
(
uri
)
r
eturn
true
if
blocked_port?
(
uri
.
port
,
valid_ports
)
r
aise
BlockedUrlError
,
"Port is blocked"
if
blocked_port?
(
uri
.
port
,
valid_ports
)
r
eturn
true
if
blocked_user_or_hostname?
(
uri
.
user
)
r
aise
BlockedUrlError
,
"User is blocked"
if
blocked_user_or_hostname?
(
uri
.
user
)
r
eturn
true
if
blocked_user_or_hostname?
(
uri
.
hostname
)
r
aise
BlockedUrlError
,
"Hostname is blocked"
if
blocked_user_or_hostname?
(
uri
.
hostname
)
addrs_info
=
Addrinfo
.
getaddrinfo
(
uri
.
hostname
,
80
,
nil
,
:STREAM
)
addrs_info
=
Addrinfo
.
getaddrinfo
(
uri
.
hostname
,
80
,
nil
,
:STREAM
)
server_ips
=
addrs_info
.
map
(
&
:ip_address
)
return
true
if
(
blocked_ips
&
server_ips
).
any?
if
!
allow_localhost
&&
localhost?
(
addrs_info
)
return
true
if
!
allow_private_networks
&&
private_network?
(
addrs_info
)
raise
BlockedUrlError
,
"Requests to localhost are blocked"
end
if
!
allow_private_networks
&&
private_network?
(
addrs_info
)
raise
BlockedUrlError
,
"Requests to the private local network are blocked"
end
rescue
Addressable
::
URI
::
InvalidURIError
rescue
Addressable
::
URI
::
InvalidURIError
r
eturn
true
r
aise
BlockedUrlError
,
"URI is invalid"
rescue
SocketError
rescue
SocketError
return
false
return
end
end
true
end
def
blocked_url?
(
*
args
)
validate!
(
*
args
)
false
false
rescue
BlockedUrlError
true
end
end
private
private
...
@@ -60,6 +71,13 @@ module Gitlab
...
@@ -60,6 +71,13 @@ module Gitlab
(
uri
.
port
.
blank?
||
uri
.
port
==
config
.
gitlab_shell
.
ssh_port
)
(
uri
.
port
.
blank?
||
uri
.
port
==
config
.
gitlab_shell
.
ssh_port
)
end
end
def
localhost?
(
addrs_info
)
blocked_ips
=
[
"127.0.0.1"
,
"::1"
,
"0.0.0.0"
]
blocked_ips
.
concat
(
Socket
.
ip_address_list
.
map
(
&
:ip_address
))
(
blocked_ips
&
addrs_info
.
map
(
&
:ip_address
)).
any?
end
def
private_network?
(
addrs_info
)
def
private_network?
(
addrs_info
)
addrs_info
.
any?
{
|
addr
|
addr
.
ipv4_private?
||
addr
.
ipv6_sitelocal?
}
addrs_info
.
any?
{
|
addr
|
addr
.
ipv4_private?
||
addr
.
ipv6_sitelocal?
}
end
end
...
...
spec/lib/gitlab/http_spec.rb
View file @
2e3bc6a9
...
@@ -12,11 +12,11 @@ describe Gitlab::HTTP do
...
@@ -12,11 +12,11 @@ describe Gitlab::HTTP do
end
end
it
'deny requests to localhost'
do
it
'deny requests to localhost'
do
expect
{
described_class
.
get
(
'http://localhost:3003'
)
}.
to
raise_error
(
URI
::
InvalidURI
Error
)
expect
{
described_class
.
get
(
'http://localhost:3003'
)
}.
to
raise_error
(
Gitlab
::
HTTP
::
BlockedUrl
Error
)
end
end
it
'deny requests to private network'
do
it
'deny requests to private network'
do
expect
{
described_class
.
get
(
'http://192.168.1.2:3003'
)
}.
to
raise_error
(
URI
::
InvalidURI
Error
)
expect
{
described_class
.
get
(
'http://192.168.1.2:3003'
)
}.
to
raise_error
(
Gitlab
::
HTTP
::
BlockedUrl
Error
)
end
end
context
'if allow_local_requests set to true'
do
context
'if allow_local_requests set to true'
do
...
@@ -41,7 +41,7 @@ describe Gitlab::HTTP do
...
@@ -41,7 +41,7 @@ describe Gitlab::HTTP do
context
'if allow_local_requests set to false'
do
context
'if allow_local_requests set to false'
do
it
'override the global value and ban requests to localhost or private network'
do
it
'override the global value and ban requests to localhost or private network'
do
expect
{
described_class
.
get
(
'http://localhost:3003'
,
allow_local_requests:
false
)
}.
to
raise_error
(
URI
::
InvalidURI
Error
)
expect
{
described_class
.
get
(
'http://localhost:3003'
,
allow_local_requests:
false
)
}.
to
raise_error
(
Gitlab
::
HTTP
::
BlockedUrl
Error
)
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment