Class: Gitlab::UrlBlocker
- Inherits:
-
Object
- Object
- Gitlab::UrlBlocker
- Defined in:
- lib/gitlab/url_blocker.rb
Constant Summary collapse
- BlockedUrlError =
Class.new(StandardError)
Class Method Summary collapse
- .blocked_url?(url, **kwargs) ⇒ Boolean
-
.validate!(url, ports: [], schemes: [], allow_localhost: false, allow_local_network: true, allow_object_storage: false, ascii_only: false, enforce_user: false, enforce_sanitization: false, dns_rebind_protection: true) ⇒ Object
Validates the given url according to the constraints specified by arguments.
Class Method Details
.blocked_url?(url, **kwargs) ⇒ Boolean
74 75 76 77 78 79 80 |
# File 'lib/gitlab/url_blocker.rb', line 74 def blocked_url?(url, **kwargs) validate!(url, **kwargs) false rescue BlockedUrlError true end |
.validate!(url, ports: [], schemes: [], allow_localhost: false, allow_local_network: true, allow_object_storage: false, ascii_only: false, enforce_user: false, enforce_sanitization: false, dns_rebind_protection: true) ⇒ Object
Validates the given url according to the constraints specified by arguments.
ports - Raises error if the given URL port does is not between given ports. allow_localhost - Raises error if URL resolves to a localhost IP address and argument is false. allow_local_network - Raises error if URL resolves to a link-local address and argument is false. allow_object_storage - Avoid raising an error if URL resolves to an object storage endpoint and argument is true. ascii_only - Raises error if URL has unicode characters and argument is true. enforce_user - Raises error if URL user doesn't start with alphanumeric characters and argument is true. enforce_sanitization - Raises error if URL includes any HTML/CSS/JS tags and argument is true.
Returns an array with [<uri>, <original-hostname>]. rubocop:disable Metrics/ParameterLists
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 |
# File 'lib/gitlab/url_blocker.rb', line 23 def validate!( url, ports: [], schemes: [], allow_localhost: false, allow_local_network: true, allow_object_storage: false, ascii_only: false, enforce_user: false, enforce_sanitization: false, dns_rebind_protection: true) # rubocop:enable Metrics/ParameterLists return [nil, nil] if url.nil? # Param url can be a string, URI or Addressable::URI uri = parse_url(url) validate_uri( uri: uri, schemes: schemes, ports: ports, enforce_sanitization: enforce_sanitization, enforce_user: enforce_user, ascii_only: ascii_only ) address_info = get_address_info(uri, dns_rebind_protection) return [uri, nil] unless address_info ip_address = ip_address(address_info) return [uri, nil] if domain_allowed?(uri) protected_uri_with_hostname = enforce_uri_hostname(ip_address, uri, dns_rebind_protection) return protected_uri_with_hostname if ip_allowed?(ip_address, port: get_port(uri)) # Allow url from the GitLab instance itself but only for the configured hostname and ports return protected_uri_with_hostname if internal?(uri) return protected_uri_with_hostname if allow_object_storage && object_storage_endpoint?(uri) validate_local_request( address_info: address_info, allow_localhost: allow_localhost, allow_local_network: allow_local_network ) protected_uri_with_hostname end |