Ted Johansson
d133692605
SECURITY: Add FinalDestination::FastImage that's SSRF safe
2023-03-16 16:25:48 -06:00
Alan Guo Xiang Tan
87032e87ea
SECURITY: SSRF protection bypass with IPv4-mapped IPv6 addresses
...
As part of this commit, we've also expanded our list of private IP
ranges based on
https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
and https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
2023-03-16 16:25:48 -06:00
Alan Guo Xiang Tan
749a4c5937
DEV: Introduce stub_ip_lookup
spec helper ( #20571 )
2023-03-09 08:46:41 +08:00
Sam
f6dc6da3f8
DEV: avoid mocking FinalDestination ( #20570 )
2023-03-09 08:46:41 +08:00
David Taylor
cb932d6ee1
DEV: Apply syntax_tree formatting to spec/*
2023-01-09 11:49:28 +00:00
Ted Johansson
06db264f24
FIX: Gracefully handle DNS issued from SSRF lookup when inline oneboxing ( #19631 )
...
There is an issue where chat message processing breaks due to
unhandles `SocketError` exceptions originating in the SSRF check,
specifically in `FinalDestination::Resolver`.
This change gives `FinalDestination::SSRFDetector` a new error class
to wrap the `SocketError` in, and haves the `RetrieveTitle` class
handle that error gracefully.
2022-12-28 10:30:20 +08:00
David Taylor
f1ec8c869a
DEV: Fix FinalDestination::Resolver race condition ( #19558 )
...
We were adding to the resolver's work queue before setting up the `@lookup` and `@parent` information. That could lead to the lookup being performed on the wrong (or `nil`) hostname. This also lead to some flakiness in specs.
2022-12-21 16:02:24 +00:00
David Taylor
a56e679723
DEV: Add logging for flaky FinalDestination spec ( #19548 )
...
This test occasionally fails in CI. I haven't been able to reproduce the issue locally. This logging will print some extra information when the assertion fails.
2022-12-21 14:40:18 +00:00
dependabot[bot]
43a8ca00b9
Build(deps): Bump net-http from 0.2.2 to 0.3.2 ( #19518 )
...
Bumps [net-http](https://github.com/ruby/net-http ) from 0.2.2 to 0.3.2.
- [Release notes](https://github.com/ruby/net-http/releases )
- [Commits](https://github.com/ruby/net-http/compare/v0.2.2...v0.3.2 )
---
updated-dependencies:
- dependency-name: net-http
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
---
Update spec stubs
To account for changes in 65aed40f35
---
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: David Taylor <david@taylorhq.com>
2022-12-19 15:05:18 +00:00
David Taylor
68b4fe4cf8
SECURITY: Expand and improve SSRF Protections ( #18815 )
...
See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr
Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2022-11-01 16:33:17 +00:00