Allow not resolvable urls when dns rebinding setting is disabled (!32523) · Merge requests · GitLab.org / GitLab FOSS

Francisco Javier López (ex-Gitlab) requested to merge fj-66723-add-dns-rebinding-protection-check into master Sep 02, 2019

What does this MR do?

In the UrlBlocker class, when the url is not resolvable, we raise an exception. This was added in order to mitigate the bypass of the fix to prevent DNS rebinding attacks.

Nevertheless, there are scenarios in which the url is valid but, at the moment of the checking, is still not resolvable. This url should be allowed in case the DNS rebinding protection setting is disabled.

Refs https://gitlab.com/gitlab-org/gitlab-ce/issues/66723

Does this MR meet the acceptance criteria?

Conformity

Changelog entry for user-facing changes, or community contribution. Check the link for other scenarios.
Documentation created/updated or follow-up review issue created
Code review guidelines
Merge request performance guidelines
Style guides
Database guides
Separation of EE specific content

Edited Sep 03, 2019 by Francisco Javier López (ex-Gitlab)

Allow not resolvable urls when dns rebinding setting is disabled

What does this MR do?

Does this MR meet the acceptance criteria?

Conformity

Merge request reports