Merge branch 'fj-remove-dns-protection-when-validating' into 'master'

Avoid checking dns rebind protection in validation Closes #66723 See merge request gitlab-org/gitlab-ce!32577 (cherry picked from commit 4e9c531a) 8f07ba0d Avoid checking dns rebind protection in validation

Merge branch 'fj-remove-dns-protection-when-validating' into 'master'
8e4b8dfc · Thong Kuah · 🤖 GitLab Bot 🤖 · 9249a422 · 8e4b8dfc · 8e4b8dfc
Commit 8e4b8dfc authored 5 years ago by Thong Kuah 💬 Committed by 🤖 GitLab Bot 🤖 5 years ago
--- a/app/validators/addressable_url_validator.rb
+++ b/app/validators/addressable_url_validator.rb
@@ -42,6 +42,11 @@
 class AddressableUrlValidator < ActiveModel::EachValidator
  attr_reader :record
  
+  # By default, we avoid checking the dns rebinding protection
+  # when saving/updating a record. Sometimes, the url
+  # is not resolvable at that point, and some automated
+  # tasks that uses that url won't work.
+  # See https://gitlab.com/gitlab-org/gitlab-ce/issues/66723
  BLOCKER_VALIDATE_OPTIONS = {
    schemes: %w(http https),
    ports: [],
@@ -49,7 +54,8 @@ class AddressableUrlValidator < ActiveModel::EachValidator
    allow_local_network: true,
    ascii_only: false,
    enforce_user: false,
-    enforce_sanitization: false
+    enforce_sanitization: false,
+    dns_rebind_protection: false
  }.freeze
  
  DEFAULT_OPTIONS = BLOCKER_VALIDATE_OPTIONS.merge({

--- a/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml
+++ b/changelogs/unreleased/fj-remove-dns-protection-when-validating.yml
+---
+title: Avoid checking dns rebind protection when validating
+merge_request: 32577
+author:
+type: fixed
--- a/spec/validators/addressable_url_validator_spec.rb
+++ b/spec/validators/addressable_url_validator_spec.rb
@@ -92,6 +92,15 @@ describe AddressableUrlValidator do
      expect(badge.errors).to be_empty
      expect(badge.link_url).to eq('https://127.0.0.1')
    end
+
+    it 'allows urls that cannot be resolved' do
+      stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
+      badge.link_url = 'http://foobar.x'
+
+      subject
+
+      expect(badge.errors).to be_empty
+    end
  end
  
  context 'when message is set' do
@@ -312,4 +321,32 @@ describe AddressableUrlValidator do
      end
    end
  end
+
+  context 'when dns_rebind_protection is' do
+    let(:not_resolvable_url) { 'http://foobar.x' }
+    let(:validator) { described_class.new(attributes: [:link_url], dns_rebind_protection: dns_value) }
+
+    before do
+      stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
+      badge.link_url = not_resolvable_url
+
+      subject
+    end
+
+    context 'true' do
+      let(:dns_value) { true }
+
+      it 'raises error' do
+        expect(badge.errors).to be_present
+      end
+    end
+
+    context 'false' do
+      let(:dns_value) { false }
+
+      it 'allows urls that cannot be resolved' do
+        expect(badge.errors).to be_empty
+      end
+    end
+  end
 end