Commit f17e36fe authored by Thiago Presa's avatar Thiago Presa

Merge branch 'sh-block-other-localhost-11-4' into 'security-11-4'

[11.4] Prevent SSRF attacks in HipChat integration

See merge request gitlab/gitlabhq!2547
parent 6ebbd70f
---
title: Prevent SSRF attacks in HipChat integration
merge_request:
author:
type: security
# This monkey patches the HTTParty used in https://github.com/hipchat/hipchat-rb.
module HipChat
class Client
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
end
class Room
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
end
class User
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter
end
end
......@@ -387,4 +387,22 @@ describe HipchatService do
end
end
end
context 'with UrlBlocker' do
let(:user) { create(:user) }
let(:project) { create(:project, :repository) }
let(:hipchat) { described_class.new(project: project) }
let(:push_sample_data) { Gitlab::DataBuilder::Push.build_sample(project, user) }
describe '#execute' do
before do
hipchat.server = 'http://localhost:9123'
end
it 'raises UrlBlocker for localhost' do
expect(Gitlab::UrlBlocker).to receive(:validate!).and_call_original
expect { hipchat.execute(push_sample_data) }.to raise_error(Gitlab::HTTP::BlockedUrlError)
end
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment