BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
4efa558f
Commit
4efa558f
authored
Aug 08, 2017
by
James Edwards-Jones
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'rs-alphanumeric-ssh-params' into 'security-9-4'
Ensure user and hostnames begin with an alnum character in UrlBlocker See merge request !2138
parents
5324ca1e
66919c32
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
47 additions
and
0 deletions
+47
-0
rs-alphanumeric-ssh-params.yml
changelogs/unreleased/rs-alphanumeric-ssh-params.yml
+5
-0
url_blocker.rb
lib/gitlab/url_blocker.rb
+8
-0
url_blocker_spec.rb
spec/lib/gitlab/url_blocker_spec.rb
+34
-0
No files found.
changelogs/unreleased/rs-alphanumeric-ssh-params.yml
0 → 100644
View file @
4efa558f
---
title
:
Disallow Git URLs that include a username or hostname beginning with a non-alphanumeric
character
merge_request
:
author
:
lib/gitlab/url_blocker.rb
View file @
4efa558f
...
@@ -19,6 +19,8 @@ module Gitlab
...
@@ -19,6 +19,8 @@ module Gitlab
return
false
if
internal?
(
uri
)
return
false
if
internal?
(
uri
)
return
true
if
blocked_port?
(
uri
.
port
)
return
true
if
blocked_port?
(
uri
.
port
)
return
true
if
blocked_user_or_hostname?
(
uri
.
user
)
return
true
if
blocked_user_or_hostname?
(
uri
.
hostname
)
server_ips
=
Resolv
.
getaddresses
(
uri
.
hostname
)
server_ips
=
Resolv
.
getaddresses
(
uri
.
hostname
)
return
true
if
(
blocked_ips
&
server_ips
).
any?
return
true
if
(
blocked_ips
&
server_ips
).
any?
...
@@ -37,6 +39,12 @@ module Gitlab
...
@@ -37,6 +39,12 @@ module Gitlab
port
<
1024
&&
!
VALID_PORTS
.
include?
(
port
)
port
<
1024
&&
!
VALID_PORTS
.
include?
(
port
)
end
end
def
blocked_user_or_hostname?
(
value
)
return
false
if
value
.
blank?
value
!~
/\A\p{Alnum}/
end
def
internal?
(
uri
)
def
internal?
(
uri
)
internal_web?
(
uri
)
||
internal_shell?
(
uri
)
internal_web?
(
uri
)
||
internal_shell?
(
uri
)
end
end
...
...
spec/lib/gitlab/url_blocker_spec.rb
View file @
4efa558f
...
@@ -20,6 +20,34 @@ describe Gitlab::UrlBlocker, lib: true do
...
@@ -20,6 +20,34 @@ describe Gitlab::UrlBlocker, lib: true do
expect
(
described_class
.
blocked_url?
(
'https://gitlab.com:25/foo/foo.git'
)).
to
be
true
expect
(
described_class
.
blocked_url?
(
'https://gitlab.com:25/foo/foo.git'
)).
to
be
true
end
end
it
'returns true for a non-alphanumeric hostname'
do
stub_resolv
aggregate_failures
do
expect
(
described_class
).
to
be_blocked_url
(
'ssh://-oProxyCommand=whoami/a'
)
# The leading character here is a Unicode "soft hyphen"
expect
(
described_class
).
to
be_blocked_url
(
'ssh://oProxyCommand=whoami/a'
)
# Unicode alphanumerics are allowed
expect
(
described_class
).
not_to
be_blocked_url
(
'ssh://ğitlab.com/a'
)
end
end
it
'returns true for a non-alphanumeric username'
do
stub_resolv
aggregate_failures
do
expect
(
described_class
).
to
be_blocked_url
(
'ssh://-oProxyCommand=whoami@example.com/a'
)
# The leading character here is a Unicode "soft hyphen"
expect
(
described_class
).
to
be_blocked_url
(
'ssh://oProxyCommand=whoami@example.com/a'
)
# Unicode alphanumerics are allowed
expect
(
described_class
).
not_to
be_blocked_url
(
'ssh://ğitlab@example.com/a'
)
end
end
it
'returns true for invalid URL'
do
it
'returns true for invalid URL'
do
expect
(
described_class
.
blocked_url?
(
'http://:8080'
)).
to
be
true
expect
(
described_class
.
blocked_url?
(
'http://:8080'
)).
to
be
true
end
end
...
@@ -28,4 +56,10 @@ describe Gitlab::UrlBlocker, lib: true do
...
@@ -28,4 +56,10 @@ describe Gitlab::UrlBlocker, lib: true do
expect
(
described_class
.
blocked_url?
(
'https://gitlab.com/foo/foo.git'
)).
to
be
false
expect
(
described_class
.
blocked_url?
(
'https://gitlab.com/foo/foo.git'
)).
to
be
false
end
end
end
end
# Resolv does not support resolving UTF-8 domain names
# See https://bugs.ruby-lang.org/issues/4270
def
stub_resolv
allow
(
Resolv
).
to
receive
(
:getaddresses
).
and_return
([])
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment