codeclimate-services 1.7.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 08767ab67555c51f2f492eea001853158febb41b
-  data.tar.gz: f097a06a711a69a01014dc8775bc99f2176bd028
+  metadata.gz: 77816c3d07a72abbd79d831e8852592b4b30b654
+  data.tar.gz: f8696a4c43abd9b325dc9d8baadf5033c4c8246f
 SHA512:
-  metadata.gz: a668a902b808e680c2a0a350506313dcd87b12cbce904d634197c5a109be59a6f6009801dafd841d7df3d69fe7aa6bd2dd7a00c75d8cb067bdebf77c332340a6
-  data.tar.gz: fe1911f20809ac655ec9b94d8cb35394173a9592bd865d683c4c39ffa63aef3c9aa2867d7e8480bdf99299e00e168d204cb418e4bf1e95f064142f7257bffd9e
+  metadata.gz: d6ae01e70ac2bdc798333a52500b11778b47c256c444c7cceb76316c348c532fca4bd405864d4ba12310aac91f81d1a3ae4498a3a986ceb2ef4e0959f888f1e0
+  data.tar.gz: 1237a7918f78505f03e166fdd34f0efe21596dc39837d41a25abe1d8b0867e5a1531205f757cf179b20efba0153f7144064604eccbff01252d1a6118b6885ff3

data/.codeclimate.yml

@@ -0,0 +1,22 @@
+---
+engines:
+  duplication:
+    enabled: true
+    config:
+      languages:
+      - ruby
+  fixme:
+    enabled: true
+  rubocop:
+    enabled: true
+    exclude_fingerprints:
+      # Using #=== intentionally in SafeWebhook
+      - d1afe90be49c43e85a76bfa58f637804
+      # High complexity in http method due to SafeWebhook check
+      - f05cea2d219c0f8119eb826067a18eda
+ratings:
+  paths:
+  - "**.rb"
+exclude_paths:
+- config/
+- spec/

data/Rakefile

@@ -1,8 +1,6 @@
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"
 
-RSpec::Core::RakeTask.new(:spec) do |task|
-  task.ruby_opts = "-W"
-end
+RSpec::Core::RakeTask.new(:spec)
 
 task default: :spec

data/lib/cc/service/http.rb

@@ -1,5 +1,6 @@
 require "active_support/concern"
 require "cc/service/response_check"
+require "cc/service/safe_webhook"
 
 module CC::Service::HTTP
   extend ActiveSupport::Concern
@@ -38,10 +39,8 @@ module CC::Service::HTTP
   end
 
   def raw_get(url = nil, params = nil, headers = nil)
-    http.get do |req|
-      req.url(url) if url
+    http_method(:get, url, nil, headers) do |req|
       req.params.update(params) if params
-      req.headers.update(headers) if headers
       yield req if block_given?
     end
   end
@@ -59,6 +58,11 @@ module CC::Service::HTTP
       req.headers.update(headers) if headers
       req.body = body if body
       block.call req if block
+
+      unless allow_internal_webhooks?
+        safe_webhook = CC::Service::SafeWebhook.new(url)
+        safe_webhook.validate!(req)
+      end
     end
   end
 
@@ -99,4 +103,9 @@ module CC::Service::HTTP
       message: "Success",
     }
   end
+
+  def allow_internal_webhooks?
+    var = ENV["CODECLIMATE_ALLOW_INTERNAL_WEBHOOKS"] || ""
+    var == "1" || var == "true"
+  end
 end

data/lib/cc/service/safe_webhook.rb

@@ -0,0 +1,71 @@
+require "ipaddr"
+require "resolv"
+
+module CC
+  class Service
+    class SafeWebhook
+      InvalidWebhookURL = Class.new(StandardError)
+
+      # https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
+      # https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
+      PRIVATE_ADDRESS_SUBNETS = [
+        IPAddr.new("10.0.0.0/8"),
+        IPAddr.new("172.16.0.0/12"),
+        IPAddr.new("192.168.0.0/16"),
+        IPAddr.new("fd00::/8"),
+        IPAddr.new("127.0.0.1"),
+        IPAddr.new("0:0:0:0:0:0:0:1"),
+      ].freeze
+
+      def self.getaddress(host)
+        @resolv ||= Resolv::DNS.new
+        @resolv.getaddress(host).to_s
+      end
+
+      def initialize(url)
+        @url = url
+      end
+
+      # Resolve the Host to an IP address, validate that it doesn't point to
+      # anything internal, then alter the request to be for the IP directly with
+      # an explicit Host header given.
+      #
+      # See http://blog.fanout.io/2014/01/27/how-to-safely-invoke-webhooks/#ip-address-blacklisting
+      def validate!(request)
+        uri = URI.parse(url)
+        address = self.class.getaddress(uri.host)
+
+        if internal?(address)
+          raise_invalid("resolves to a private IP address")
+        end
+
+        alter_request(request, uri, address)
+      rescue URI::InvalidURIError, Resolv::ResolvError, Resolv::ResolvTimeout => ex
+        raise_invalid(ex.message)
+      end
+
+      private
+
+      attr_reader :url
+
+      def internal?(address)
+        ip_addr = IPAddr.new(address)
+
+        PRIVATE_ADDRESS_SUBNETS.any? do |subnet|
+          subnet === ip_addr
+        end
+      end
+
+      def alter_request(request, uri, address)
+        address_uri = uri.dup
+        address_uri.host = address
+        request.url(address_uri.to_s)
+        request.headers.update(Host: uri.host)
+      end
+
+      def raise_invalid(message)
+        raise InvalidWebhookURL, "The Webhook URL #{url} is invalid: #{message}"
+      end
+    end
+  end
+end

data/lib/cc/services/version.rb

@@ -1,5 +1,5 @@
 module CC
   module Services
-    VERSION = "1.7.0".freeze
+    VERSION = "1.8.0".freeze
   end
 end

data/spec/cc/service/github_issues_spec.rb

@@ -67,8 +67,10 @@ describe CC::Service::GitHubIssues, type: :service do
   end
 
   it "different base url" do
+    stub_resolv("example.com", "1.1.1.2")
+
     http_stubs.post request_url do |env|
-      expect(env[:url].to_s).to eq("http://example.com/#{request_url}")
+      expect(env[:url].to_s).to eq("http://1.1.1.2/#{request_url}")
       [200, {}, '{"number": 2, "html_url": "http://foo.bar"}']
     end
 

data/spec/cc/service/github_pull_requests_spec.rb

@@ -107,8 +107,10 @@ describe CC::Service::GitHubPullRequests, type: :service do
   end
 
   it "different base url" do
+    stub_resolv("example.com", "1.1.1.2")
+
     http_stubs.post("/repos/pbrisbin/foo/statuses/#{"0" * 40}") do |env|
-      expect(env[:url].to_s).to eq("http://example.com/repos/pbrisbin/foo/statuses/#{"0" * 40}")
+      expect(env[:url].to_s).to eq("http://1.1.1.2/repos/pbrisbin/foo/statuses/#{"0" * 40}")
       [422, { "x-oauth-scopes" => "gist, user, repo" }, ""]
     end
 

data/spec/cc/service/gitlab_merge_requests_spec.rb

@@ -134,14 +134,44 @@ describe CC::Service::GitlabMergeRequests, type: :service do
   end
 
   it "different base url" do
+    stub_resolv("gitlab.hal.org", "1.1.1.2")
+
     http_stubs.post("api/v3/projects/hal%2Fhal9000/statuses/#{"0" * 40}") do |env|
-      expect(env[:url].to_s).to eq("https://gitlab.hal.org/api/v3/projects/hal%2Fhal9000/statuses/#{"0" * 40}")
+      expect(env[:url].to_s).to eq("https://1.1.1.2/api/v3/projects/hal%2Fhal9000/statuses/#{"0" * 40}")
       [404, {}, ""]
     end
 
     expect(receive_test({ base_url: "https://gitlab.hal.org" }, git_url: "ssh://git@gitlab.com/hal/hal9000.git")[:ok]).to eq(true)
   end
 
+  context "SafeWebhook" do
+    it "rewrites the request to be for the resolved IP" do
+      stub_resolv("my.gitlab.com", "1.1.1.2")
+
+      http_stubs.post("api/v3/projects/hal%2Fhal9000/statuses/#{"0" * 40}") do |env|
+        expect(env[:url].to_s).to eq("https://1.1.1.2/api/v3/projects/hal%2Fhal9000/statuses/#{"0" * 40}")
+        expect(env[:request_headers][:Host]).to eq("my.gitlab.com")
+        [404, {}, ""]
+      end
+
+      expect(receive_test({ base_url: "https://my.gitlab.com" }, git_url: "ssh://git@gitlab.com/hal/hal9000.git")[:ok]).to eq(true)
+    end
+
+    it "validates that the host doesn't resolve to something internal" do
+      stub_resolv("my.gitlab.com", "127.0.0.1")
+
+      expect do
+        receive_test({ base_url: "https://my.gitlab.com" }, git_url: "")
+      end.to raise_error(CC::Service::SafeWebhook::InvalidWebhookURL)
+
+      stub_resolv("my.gitlab.com", "10.0.0.9")
+
+      expect do
+        receive_test({ base_url: "https://my.gitlab.com" }, git_url: "")
+      end.to raise_error(CC::Service::SafeWebhook::InvalidWebhookURL)
+    end
+  end
+
   private
 
   def expect_status_update(repo, commit_sha, params)

data/spec/cc/service/safe_webhook_spec.rb

@@ -0,0 +1,61 @@
+require "spec_helper"
+
+class CC::Service
+  describe SafeWebhook do
+    describe ".getaddress" do
+      it "resolves the dns name to a string" do
+        address = SafeWebhook.getaddress("codeclimate.com")
+
+        expect(address).to be_present
+        expect(address).to respond_to(:start_with?)
+      end
+    end
+
+    describe "#validate!" do
+      context "valid webhook URLs" do
+        it "rewrites the request to be safe" do
+          stub_resolv("example.com", "2.2.2.2")
+
+          request = double(headers: double)
+          expect(request).to receive(:url).with("https://2.2.2.2:3000/foo")
+          expect(request.headers).to receive(:update).with(Host: "example.com")
+
+          safe_webhook = SafeWebhook.new("https://example.com:3000/foo")
+          safe_webhook.validate!(request)
+        end
+      end
+
+      context "invalid Webhook URLs" do
+        it "raises for invalid URL" do
+          allow(URI).to receive(:parse).and_raise(URI::InvalidURIError)
+
+          expect { validate("http://example.com") }.to raise_error(SafeWebhook::InvalidWebhookURL)
+        end
+
+        it "raises for un-resolvable URL" do
+          allow(SafeWebhook).to receive(:getaddress).and_raise(Resolv::ResolvError)
+
+          expect { validate("http://example.com") }.to raise_error(SafeWebhook::InvalidWebhookURL)
+        end
+
+        it "raises for localhost URLs" do
+          stub_resolv("example.com", "127.0.0.1")
+
+          expect { validate("http://example.com") }.to raise_error(SafeWebhook::InvalidWebhookURL)
+        end
+
+        it "raises for internal URLs" do
+          stub_resolv("example.com", "10.0.0.1")
+
+          expect { validate("http://example.com") }.to raise_error(SafeWebhook::InvalidWebhookURL)
+        end
+
+        def validate(url)
+          request = double
+          safe_webhook = SafeWebhook.new(url)
+          safe_webhook.validate!(request)
+        end
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -34,4 +34,8 @@ RSpec.configure do |config|
   # This setting enables warnings. It's recommended, but in some cases may
   # be too noisy due to issues in dependencies.
   config.warnings = true
+
+  config.before(:each) do
+    stub_resolv(anything, "1.1.1.1")
+  end
 end

data/spec/support/resolv_helper.rb

@@ -0,0 +1,10 @@
+module ResolvHelper
+  def stub_resolv(host, address)
+    allow(CC::Service::SafeWebhook).to receive(:getaddress).
+      with(host).and_return(address)
+  end
+end
+
+RSpec.configure do |conf|
+  conf.include ResolvHelper
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: codeclimate-services
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Bryan Helmkamp
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-09-15 00:00:00.000000000 Z
+date: 2016-09-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -143,6 +143,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".codeclimate.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
@@ -183,6 +184,7 @@ files:
 - lib/cc/service/invocation/with_retries.rb
 - lib/cc/service/invocation/with_return_values.rb
 - lib/cc/service/response_check.rb
+- lib/cc/service/safe_webhook.rb
 - lib/cc/services.rb
 - lib/cc/services/asana.rb
 - lib/cc/services/campfire.rb
@@ -216,12 +218,14 @@ files:
 - spec/cc/service/jira_spec.rb
 - spec/cc/service/lighthouse_spec.rb
 - spec/cc/service/pivotal_tracker_spec.rb
+- spec/cc/service/safe_webhook_spec.rb
 - spec/cc/service/slack_spec.rb
 - spec/cc/service/stash_pull_requests_spec.rb
 - spec/cc/service_spec.rb
 - spec/fixtures.rb
 - spec/spec_helper.rb
 - spec/support/fake_logger.rb
+- spec/support/resolv_helper.rb
 - spec/support/service_context.rb
 homepage: ''
 licenses:
@@ -243,7 +247,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: Service classes for Code Climate
@@ -265,10 +269,12 @@ test_files:
 - spec/cc/service/jira_spec.rb
 - spec/cc/service/lighthouse_spec.rb
 - spec/cc/service/pivotal_tracker_spec.rb
+- spec/cc/service/safe_webhook_spec.rb
 - spec/cc/service/slack_spec.rb
 - spec/cc/service/stash_pull_requests_spec.rb
 - spec/cc/service_spec.rb
 - spec/fixtures.rb
 - spec/spec_helper.rb
 - spec/support/fake_logger.rb
+- spec/support/resolv_helper.rb
 - spec/support/service_context.rb