Merge branch 'sh-block-link-local-master' into 'master'

Block link-local addresses in URLBlocker

See merge request gitlab/gitlabhq!2459

changelogs/unreleased/sh-block-link-local-master.yml

+---
+title: Block link-local addresses in URLBlocker
+merge_request:
+author:
+type: security

lib/gitlab/url_blocker.rb

@@ -31,6 +31,7 @@ module Gitlab
         validate_localhost!(addrs_info) unless allow_localhost
         validate_local_network!(addrs_info) unless allow_local_network
+        validate_link_local!(addrs_info) unless allow_local_network
         true
       end
@@ -89,6 +90,13 @@ module Gitlab
         raise BlockedUrlError, "Requests to the local network are not allowed"
       end
+      def validate_link_local!(addrs_info)
+        netmask = IPAddr.new('169.254.0.0/16')
+        return unless addrs_info.any? { |addr| addr.ipv6_linklocal? || netmask.include?(addr.ip_address) }
+
+        raise BlockedUrlError, "Requests to the link local network are not allowed"
+      end
+
       def internal?(uri)
         internal_web?(uri) || internal_shell?(uri)
       end

spec/lib/gitlab/url_blocker_spec.rb

+# coding: utf-8
 require 'spec_helper'
 describe Gitlab::UrlBlocker do
@@ -82,6 +83,17 @@ describe Gitlab::UrlBlocker do
             expect(described_class).not_to be_blocked_url("http://#{ip}")
           end
         end
+
+        it 'allows IPv4 link-local endpoints' do
+          expect(described_class).not_to be_blocked_url('http://169.254.169.254')
+          expect(described_class).not_to be_blocked_url('http://169.254.168.100')
+        end
+
+        # This is blocked due to the hostname check: https://gitlab.com/gitlab-org/gitlab-ce/issues/50227
+        it 'blocks IPv6 link-local endpoints' do
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]')
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]')
+        end
       end
       context 'false' do
@@ -96,10 +108,21 @@ describe Gitlab::UrlBlocker do
             expect(described_class).to be_blocked_url("http://#{ip}", allow_local_network: false)
           end
         end
+
+        it 'blocks IPv4 link-local endpoints' do
+          expect(described_class).to be_blocked_url('http://169.254.169.254', allow_local_network: false)
+          expect(described_class).to be_blocked_url('http://169.254.168.100', allow_local_network: false)
+        end
+
+        it 'blocks IPv6 link-local endpoints' do
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]', allow_local_network: false)
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]', allow_local_network: false)
+          expect(described_class).to be_blocked_url('http://[FE80::C800:EFF:FE74:8]', allow_local_network: false)
+        end
       end
       def stub_domain_resolv(domain, ip)
-        allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true)])
+        allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true, ipv6_link_local?: false)])
       end
       def unstub_domain_resolv