Remove access to local requests via cube query service

Merge branch 'security-product-analytics-ssrf-cube-localhost-17-2' into '17-2-stable-ee' See merge request gitlab-org/security/gitlab!4494 Changelog: security

Remove access to local requests via cube query service
1a46c8c1 · Max Woolf · GitLab Release Tools Bot · 5e02069e · 1a46c8c1 · 1a46c8c1
Commit 1a46c8c1 authored 4 months ago by Max Woolf Committed by GitLab Release Tools Bot 4 months ago
--- a/ee/app/services/product_analytics/cube_data_query_service.rb
+++ b/ee/app/services/product_analytics/cube_data_query_service.rb
@@ -32,7 +32,7 @@ def cannot_query_data?
  
    def query_data
      options = {
-        allow_local_requests: true,
+        allow_local_requests: false,
        headers: cube_security_headers
      }
  

--- a/ee/app/workers/product_analytics/initialize_snowplow_product_analytics_worker.rb
+++ b/ee/app/workers/product_analytics/initialize_snowplow_product_analytics_worker.rb
@@ -25,7 +25,7 @@ def perform(project_id)
      response = Gitlab::HTTP.post(
        URI.join(::ProductAnalytics::Settings.for_project(@project).product_analytics_configurator_connection_string,
          "setup-project/gitlab_project_#{project_id}"),
-        allow_local_requests: true,
+        allow_local_requests: false,
        timeout: 10
      )
  

--- a/ee/app/workers/product_analytics/move_funnels_worker.rb
+++ b/ee/app/workers/product_analytics/move_funnels_worker.rb
@@ -20,7 +20,7 @@ def perform(project_id, previous_custom_project_id, new_custom_project_id)
        "#{ ::ProductAnalytics::Settings.for_project(@project)
                                        .product_analytics_configurator_connection_string }/funnel-schemas",
        body: build_payload.to_json,
-        allow_local_requests: true
+        allow_local_requests: false
      )
    end
  

--- a/ee/app/workers/product_analytics/sync_funnels_worker.rb
+++ b/ee/app/workers/product_analytics/sync_funnels_worker.rb
@@ -23,7 +23,7 @@ def perform(project_id, newrev, user_id)
            project_ids: project_ids.map { |id| "gitlab_project_#{id}" },
            funnels: funnels
          }.to_json,
-          allow_local_requests: true
+          allow_local_requests: false
        )
      end
    end

--- a/ee/spec/workers/product_analytics/sync_funnels_worker_spec.rb
+++ b/ee/spec/workers/product_analytics/sync_funnels_worker_spec.rb
@@ -19,7 +19,7 @@
        url_to_projects_regex.each do |url, projects_regex|
          expect(Gitlab::HTTP).to receive(:post)
                                    .with(URI.parse(url.to_s), {
-                                      allow_local_requests: true,
+                                      allow_local_requests: false,
                                      body: Regexp.new(projects_regex.source + /.*\"state\":\"created\"/.source)
                                    }).once
                                    .and_return(instance_double("HTTParty::Response", body: { result: 'success' }))
@@ -59,7 +59,7 @@
        url_to_projects_regex.each do |url, projects_regex|
          expect(Gitlab::HTTP).to receive(:post)
                                    .with(URI.parse(url.to_s), {
-                                      allow_local_requests: true,
+                                      allow_local_requests: false,
                                      body: Regexp.new(projects_regex.source + /.*\"state\":\"updated\"/.source)
                                    }).once.and_return(instance_double("HTTParty::Response",
                                      body: { result: 'success' }))
@@ -100,7 +100,7 @@
        url_to_projects_regex.each do |url, _projects_regex|
          expect(Gitlab::HTTP).to receive(:post)
                                    .with(URI.parse(url.to_s), {
-                                      allow_local_requests: true,
+                                      allow_local_requests: false,
                                      body: /\"previous_name\":\"example1\"/
                                    }).once
                                    .and_return(instance_double("HTTParty::Response", body: { result: 'success' }))
@@ -137,7 +137,7 @@
        url_to_projects_regex.each do |url, projects_regex|
          expect(Gitlab::HTTP).to receive(:post)
                                    .with(URI.parse(url.to_s), {
-                                      allow_local_requests: true,
+                                      allow_local_requests: false,
                                      body: Regexp.new(projects_regex.source + /.*\"state\":\"deleted\"/.source)
                                    }).once
                                    .and_return(instance_double("HTTParty::Response", body: { result: 'success' }))
@@ -156,7 +156,7 @@
          url_to_projects_regex.each do |url, projects_regex|
            expect(Gitlab::HTTP).to receive(:post)
                                      .with(URI.parse(url.to_s), {
-                                        allow_local_requests: true,
+                                        allow_local_requests: false,
                                        body: Regexp.new(projects_regex.source + /.*\"state\":\"deleted\"/.source)
                                      }).once
                                      .and_return(instance_double("HTTParty::Response", body: { result: 'success' }))