mirror of
https://github.com/discourse/discourse.git
synced 2025-05-28 22:37:37 +08:00
SECURITY: Expand and improve SSRF Protections (#18815)
See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com> Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
This commit is contained in:
@ -41,6 +41,14 @@ RSpec.describe Onebox::Helpers do
|
||||
described_class.fetch_response('http://example.com/large-file')
|
||||
}.to raise_error(Onebox::Helpers::DownloadTooLarge)
|
||||
end
|
||||
|
||||
it "raises an exception when private url requested" do
|
||||
FinalDestination::TestHelper.stub_to_fail do
|
||||
expect {
|
||||
described_class.fetch_response('http://example.com/large-file')
|
||||
}.to raise_error(FinalDestination::SSRFDetector::DisallowedIpError)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe "fetch_html_doc" do
|
||||
@ -63,13 +71,25 @@ RSpec.describe Onebox::Helpers do
|
||||
|
||||
it "does not follow canonical link pointing at localhost" do
|
||||
uri = 'https://www.example.com'
|
||||
stub_request(:get, uri).to_return(status: 200, body: "<!DOCTYPE html><link rel='canonical' href='http://localhost:3000/'/><p>success</p>")
|
||||
FinalDestination::SSRFDetector.stubs(:lookup_ips).with { |h| h == "localhost" }.returns(["127.0.0.1"])
|
||||
stub_request(:get, uri).to_return(status: 200, body: "<!DOCTYPE html><link rel='canonical' href='http://localhost/test'/><p>success</p>")
|
||||
|
||||
expect(described_class.fetch_html_doc(uri).to_s).to match("success")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe ".fetch_content_length" do
|
||||
it "does not connect to private IP" do
|
||||
uri = 'https://www.example.com'
|
||||
FinalDestination::TestHelper.stub_to_fail do
|
||||
expect {
|
||||
described_class.fetch_content_length(uri)
|
||||
}.to raise_error(FinalDestination::SSRFDetector::DisallowedIpError)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe "redirects" do
|
||||
describe "redirect limit" do
|
||||
before do
|
||||
|
Reference in New Issue
Block a user