Ted Johansson
67e7808603
SECURITY: Add FastImage SSRF safe freedom patch
2024-07-03 20:49:15 +08:00
Leonardo Mosquera
508e2e601c
FIX: FinalDestination::HTTP: validate address argument ( #25407 )
...
This would only be empty due to a programming error elsewhere, but
checking this here is a failstop so that it doesn't go further.
2024-01-24 18:50:42 -03:00
Loïc Guitaut
0f4beab0fb
DEV: Update the rubocop-discourse gem
...
This enables cops related to RSpec `subject`.
See https://github.com/discourse/rubocop-discourse/pull/32
2023-06-26 11:41:52 +02:00
Ted Johansson
39c2f63b35
SECURITY: Add FinalDestination::FastImage that's SSRF safe
2023-03-16 15:27:09 -06:00
Alan Guo Xiang Tan
fd16eade7f
SECURITY: SSRF protection bypass with IPv4-mapped IPv6 addresses
...
As part of this commit, we've also expanded our list of private IP
ranges based on
https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
and https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
2023-03-16 15:27:09 -06:00
Alan Guo Xiang Tan
b5cd22edb6
DEV: Introduce stub_ip_lookup
spec helper ( #20571 )
2023-03-08 09:28:09 +08:00
Sam
3f5fa4eb09
DEV: avoid mocking FinalDestination ( #20570 )
2023-03-08 09:09:18 +08:00
Leonardo Mosquera
509fee0f5a
FIX: allow changing default DNS query timeout of 2s via GlobalSetting ( #20383 )
...
The current default timeout is hardcoded to 2 seconds which is proving
too low for certain cases, and resulting in sporadic timeouts due to slow DNS queries.
2023-02-21 09:54:29 +11:00
David Taylor
cb932d6ee1
DEV: Apply syntax_tree formatting to spec/*
2023-01-09 11:49:28 +00:00
Ted Johansson
06db264f24
FIX: Gracefully handle DNS issued from SSRF lookup when inline oneboxing ( #19631 )
...
There is an issue where chat message processing breaks due to
unhandles `SocketError` exceptions originating in the SSRF check,
specifically in `FinalDestination::Resolver`.
This change gives `FinalDestination::SSRFDetector` a new error class
to wrap the `SocketError` in, and haves the `RetrieveTitle` class
handle that error gracefully.
2022-12-28 10:30:20 +08:00
David Taylor
f1ec8c869a
DEV: Fix FinalDestination::Resolver race condition ( #19558 )
...
We were adding to the resolver's work queue before setting up the `@lookup` and `@parent` information. That could lead to the lookup being performed on the wrong (or `nil`) hostname. This also lead to some flakiness in specs.
2022-12-21 16:02:24 +00:00
David Taylor
a56e679723
DEV: Add logging for flaky FinalDestination spec ( #19548 )
...
This test occasionally fails in CI. I haven't been able to reproduce the issue locally. This logging will print some extra information when the assertion fails.
2022-12-21 14:40:18 +00:00
dependabot[bot]
43a8ca00b9
Build(deps): Bump net-http from 0.2.2 to 0.3.2 ( #19518 )
...
Bumps [net-http](https://github.com/ruby/net-http ) from 0.2.2 to 0.3.2.
- [Release notes](https://github.com/ruby/net-http/releases )
- [Commits](https://github.com/ruby/net-http/compare/v0.2.2...v0.3.2 )
---
updated-dependencies:
- dependency-name: net-http
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
---
Update spec stubs
To account for changes in 65aed40f35
---
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: David Taylor <david@taylorhq.com>
2022-12-19 15:05:18 +00:00
David Taylor
68b4fe4cf8
SECURITY: Expand and improve SSRF Protections ( #18815 )
...
See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr
Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2022-11-01 16:33:17 +00:00