Merge branch 'security-github-media-cdn-ssrf' into 'master'

Update GITHUB_MEDIA_CDN to avoid SSRF when importing from Github See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4005 Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by: Gregorius Marco <gmarco@gitlab.com> Approved-by: Aaron Huntsman <ahuntsman@gitlab.com> Approved-by: Greg Myers <gmyers@gitlab.com> Reviewed-by: Greg Myers <gmyers@gitlab.com> Co-authored-by: Ivane Gkomarteli <igkomarteli@gitlab.com>

Merge branch 'security-github-media-cdn-ssrf' into 'master'
5a292c1f · GitLab Release Tools Bot · 9e1ec51d · da3b71d7 · 5a292c1f · 5a292c1f
Commit 5a292c1f authored 9 months ago by GitLab Release Tools Bot
--- a/lib/gitlab/github_import/markdown_text.rb
+++ b/lib/gitlab/github_import/markdown_text.rb
@@ -10,7 +10,7 @@ class MarkdownText

      # On github.com we have base url for docs and CDN url for media.
      # On github EE as far as we can know there is no CDN urls and media is placed on base url.
-      GITHUB_MEDIA_CDN = 'https://user-images.githubusercontent.com'
+      GITHUB_MEDIA_CDN = 'https://user-images.githubusercontent.com/'

      ISSUE_REF_MATCHER = '%{github_url}/%{import_source}/issues'
      PULL_REF_MATCHER = '%{github_url}/%{import_source}/pull'

--- a/spec/lib/gitlab/github_import/markdown/attachment_spec.rb
+++ b/spec/lib/gitlab/github_import/markdown/attachment_spec.rb
@@ -71,6 +71,12 @@
        it { expect(described_class.from_markdown(markdown_node)).to eq nil }
      end

+      context 'with allowed domain as subdomain' do
+        let(:url) { "https://user-images.githubusercontent.com.attacker.controlled.domain/1/uuid-1.#{image_extension}" }
+
+        it { expect(described_class.from_markdown(markdown_node)).to eq nil }
+      end
+
      context 'when URL is blank' do
        let(:url) { nil }