codeclimate-services 1.8.0 → 1.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 77816c3d07a72abbd79d831e8852592b4b30b654
-  data.tar.gz: f8696a4c43abd9b325dc9d8baadf5033c4c8246f
+  metadata.gz: 4df2ee48a6422a56813233250049c38979fc3cb8
+  data.tar.gz: 7e58584424589e2c0b2ca337a853a4ea37e7b0fa
 SHA512:
-  metadata.gz: d6ae01e70ac2bdc798333a52500b11778b47c256c444c7cceb76316c348c532fca4bd405864d4ba12310aac91f81d1a3ae4498a3a986ceb2ef4e0959f888f1e0
-  data.tar.gz: 1237a7918f78505f03e166fdd34f0efe21596dc39837d41a25abe1d8b0867e5a1531205f757cf179b20efba0153f7144064604eccbff01252d1a6118b6885ff3
+  metadata.gz: ebb9f1f93b763a3858d6c66283ad1b27ff6507e57612301b71eeaf2077a1a034e808f98e787bbd9d9a9b2091f7f2e0bb397f38b3710c726bcd6907d5e37d51ad
+  data.tar.gz: db694bb54c853bf76dab733883350b38e1c3123706104e3b2a7730ebb41618b65badd9b6c7afc4ccade4ecc26db5997935cd8c5392a052987a06c156f75ab541

data/.codeclimate.yml

@@ -10,10 +10,8 @@ engines:
   rubocop:
     enabled: true
     exclude_fingerprints:
-      # Using #=== intentionally in SafeWebhook
+      # Using #=== intentionally to do subnet masking
       - d1afe90be49c43e85a76bfa58f637804
-      # High complexity in http method due to SafeWebhook check
-      - f05cea2d219c0f8119eb826067a18eda
 ratings:
   paths:
   - "**.rb"

data/Gemfile

@@ -4,3 +4,8 @@ source "https://rubygems.org"
 gemspec
 
 gem "pry"
+
+group :test do
+  gem "simplecov"
+  gem "codeclimate-test-reporter", "1.0.0.pre.rc2"
+end

data/circle.yml

@@ -0,0 +1,4 @@
+test:
+  override:
+    - bundle exec rake
+    - bundle exec codeclimate-test-reporter

data/codeclimate-services.gemspec

@@ -23,7 +23,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency "activemodel", ">= 3.0"
   spec.add_dependency "activesupport", ">= 3.0"
   spec.add_development_dependency "bundler", ">= 1.6.2"
-  spec.add_development_dependency "codeclimate-test-reporter"
   spec.add_development_dependency "rake"
   spec.add_development_dependency "rspec"
 end

data/lib/cc/fixed_resolv.rb

@@ -0,0 +1,29 @@
+require "resolv-replace"
+
+module CC
+  class FixedResolv < Resolv::DNS
+    def self.enable!
+      new.tap do |instance|
+        Resolv::DefaultResolver.replace_resolvers([instance])
+      end
+    end
+
+    def initialize
+      @addresses = {}
+    end
+
+    def setaddress(name, address)
+      addresses[name] = address
+    end
+
+    def each_address(name)
+      if addresses.key?(name)
+        yield addresses.fetch(name)
+      end
+    end
+
+    private
+
+    attr_reader :addresses
+  end
+end

data/lib/cc/service/http.rb

@@ -53,16 +53,13 @@ module CC::Service::HTTP
   def http_method(method, url = nil, body = nil, headers = nil)
     block = Proc.new if block_given?
 
+    CC::Service::SafeWebhook.ensure_safe!(url)
+
     http.send(method) do |req|
       req.url(url) if url
       req.headers.update(headers) if headers
       req.body = body if body
       block.call req if block
-
-      unless allow_internal_webhooks?
-        safe_webhook = CC::Service::SafeWebhook.new(url)
-        safe_webhook.validate!(req)
-      end
     end
   end
 
@@ -103,9 +100,4 @@ module CC::Service::HTTP
       message: "Success",
     }
   end
-
-  def allow_internal_webhooks?
-    var = ENV["CODECLIMATE_ALLOW_INTERNAL_WEBHOOKS"] || ""
-    var == "1" || var == "true"
-  end
 end

data/lib/cc/service/safe_webhook.rb

@@ -1,13 +1,13 @@
 require "ipaddr"
-require "resolv"
+require "uri"
+
+require "cc/fixed_resolv"
 
 module CC
   class Service
     class SafeWebhook
-      InvalidWebhookURL = Class.new(StandardError)
+      InternalWebhookError = Class.new(StandardError)
 
-      # https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
-      # https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
       PRIVATE_ADDRESS_SUBNETS = [
         IPAddr.new("10.0.0.0/8"),
         IPAddr.new("172.16.0.0/12"),
@@ -17,54 +17,52 @@ module CC
         IPAddr.new("0:0:0:0:0:0:0:1"),
       ].freeze
 
+      def self.ensure_safe!(url)
+        instance = new(url)
+        instance.ensure_safe!
+      end
+
       def self.getaddress(host)
-        @resolv ||= Resolv::DNS.new
-        @resolv.getaddress(host).to_s
+        @dns ||= Resolv::DNS.new
+        @dns.getaddress(host)
+      end
+
+      def self.setaddress(host, address)
+        @fixed_resolv ||= CC::FixedResolv.enable!
+        @fixed_resolv.setaddress(host, address)
       end
 
       def initialize(url)
         @url = url
       end
 
-      # Resolve the Host to an IP address, validate that it doesn't point to
-      # anything internal, then alter the request to be for the IP directly with
-      # an explicit Host header given.
-      #
-      # See http://blog.fanout.io/2014/01/27/how-to-safely-invoke-webhooks/#ip-address-blacklisting
-      def validate!(request)
+      def ensure_safe!
         uri = URI.parse(url)
-        address = self.class.getaddress(uri.host)
 
-        if internal?(address)
-          raise_invalid("resolves to a private IP address")
+        if !allow_internal_webhooks? && internal?(uri.host)
+          raise InternalWebhookError, "#{url.inspect} maps to an internal address"
         end
-
-        alter_request(request, uri, address)
-      rescue URI::InvalidURIError, Resolv::ResolvError, Resolv::ResolvTimeout => ex
-        raise_invalid(ex.message)
       end
 
       private
 
       attr_reader :url
 
-      def internal?(address)
-        ip_addr = IPAddr.new(address)
+      def internal?(host)
+        address = self.class.getaddress(host)
+
+        self.class.setaddress(host, address)
 
         PRIVATE_ADDRESS_SUBNETS.any? do |subnet|
-          subnet === ip_addr
+          subnet === IPAddr.new(address.to_s)
         end
+      rescue Resolv::ResolvError
+        true # localhost
       end
 
-      def alter_request(request, uri, address)
-        address_uri = uri.dup
-        address_uri.host = address
-        request.url(address_uri.to_s)
-        request.headers.update(Host: uri.host)
-      end
-
-      def raise_invalid(message)
-        raise InvalidWebhookURL, "The Webhook URL #{url} is invalid: #{message}"
+      def allow_internal_webhooks?
+        var = ENV["CODECLIMATE_ALLOW_INTERNAL_WEBHOOKS"] || ""
+        var == "1" || var == "true"
       end
     end
   end

data/lib/cc/services/version.rb

@@ -1,5 +1,5 @@
 module CC
   module Services
-    VERSION = "1.8.0".freeze
+    VERSION = "1.9.0".freeze
   end
 end

data/spec/cc/service/github_issues_spec.rb

@@ -67,10 +67,8 @@ describe CC::Service::GitHubIssues, type: :service do
   end
 
   it "different base url" do
-    stub_resolv("example.com", "1.1.1.2")
-
     http_stubs.post request_url do |env|
-      expect(env[:url].to_s).to eq("http://1.1.1.2/#{request_url}")
+      expect(env[:url].to_s).to eq("http://example.com/#{request_url}")
       [200, {}, '{"number": 2, "html_url": "http://foo.bar"}']
     end
 

data/spec/cc/service/github_pull_requests_spec.rb

@@ -107,10 +107,8 @@ describe CC::Service::GitHubPullRequests, type: :service do
   end
 
   it "different base url" do
-    stub_resolv("example.com", "1.1.1.2")
-
     http_stubs.post("/repos/pbrisbin/foo/statuses/#{"0" * 40}") do |env|
-      expect(env[:url].to_s).to eq("http://1.1.1.2/repos/pbrisbin/foo/statuses/#{"0" * 40}")
+      expect(env[:url].to_s).to eq("http://example.com/repos/pbrisbin/foo/statuses/#{"0" * 40}")
       [422, { "x-oauth-scopes" => "gist, user, repo" }, ""]
     end
 

data/spec/cc/service/gitlab_merge_requests_spec.rb

@@ -134,44 +134,14 @@ describe CC::Service::GitlabMergeRequests, type: :service do
   end
 
   it "different base url" do
-    stub_resolv("gitlab.hal.org", "1.1.1.2")
-
     http_stubs.post("api/v3/projects/hal%2Fhal9000/statuses/#{"0" * 40}") do |env|
-      expect(env[:url].to_s).to eq("https://1.1.1.2/api/v3/projects/hal%2Fhal9000/statuses/#{"0" * 40}")
+      expect(env[:url].to_s).to eq("https://gitlab.hal.org/api/v3/projects/hal%2Fhal9000/statuses/#{"0" * 40}")
       [404, {}, ""]
     end
 
     expect(receive_test({ base_url: "https://gitlab.hal.org" }, git_url: "ssh://git@gitlab.com/hal/hal9000.git")[:ok]).to eq(true)
   end
 
-  context "SafeWebhook" do
-    it "rewrites the request to be for the resolved IP" do
-      stub_resolv("my.gitlab.com", "1.1.1.2")
-
-      http_stubs.post("api/v3/projects/hal%2Fhal9000/statuses/#{"0" * 40}") do |env|
-        expect(env[:url].to_s).to eq("https://1.1.1.2/api/v3/projects/hal%2Fhal9000/statuses/#{"0" * 40}")
-        expect(env[:request_headers][:Host]).to eq("my.gitlab.com")
-        [404, {}, ""]
-      end
-
-      expect(receive_test({ base_url: "https://my.gitlab.com" }, git_url: "ssh://git@gitlab.com/hal/hal9000.git")[:ok]).to eq(true)
-    end
-
-    it "validates that the host doesn't resolve to something internal" do
-      stub_resolv("my.gitlab.com", "127.0.0.1")
-
-      expect do
-        receive_test({ base_url: "https://my.gitlab.com" }, git_url: "")
-      end.to raise_error(CC::Service::SafeWebhook::InvalidWebhookURL)
-
-      stub_resolv("my.gitlab.com", "10.0.0.9")
-
-      expect do
-        receive_test({ base_url: "https://my.gitlab.com" }, git_url: "")
-      end.to raise_error(CC::Service::SafeWebhook::InvalidWebhookURL)
-    end
-  end
-
   private
 
   def expect_status_update(repo, commit_sha, params)

data/spec/cc/service/safe_webhook_spec.rb

@@ -2,59 +2,39 @@ require "spec_helper"
 
 class CC::Service
   describe SafeWebhook do
-    describe ".getaddress" do
-      it "resolves the dns name to a string" do
-        address = SafeWebhook.getaddress("codeclimate.com")
-
-        expect(address).to be_present
-        expect(address).to respond_to(:start_with?)
-      end
-    end
-
-    describe "#validate!" do
-      context "valid webhook URLs" do
-        it "rewrites the request to be safe" do
-          stub_resolv("example.com", "2.2.2.2")
-
-          request = double(headers: double)
-          expect(request).to receive(:url).with("https://2.2.2.2:3000/foo")
-          expect(request.headers).to receive(:update).with(Host: "example.com")
-
-          safe_webhook = SafeWebhook.new("https://example.com:3000/foo")
-          safe_webhook.validate!(request)
+    describe ".ensure_safe!" do
+      it "does not allow internal URLs" do
+        %w[ 127.0.0.1 192.168.0.1 10.0.1.18 ].each do |address|
+          stub_resolv("github.com", address)
+
+          expect do
+            SafeWebhook.ensure_safe!("https://github.com/api/v1/user")
+          end.to raise_error(SafeWebhook::InternalWebhookError)
         end
       end
 
-      context "invalid Webhook URLs" do
-        it "raises for invalid URL" do
-          allow(URI).to receive(:parse).and_raise(URI::InvalidURIError)
-
-          expect { validate("http://example.com") }.to raise_error(SafeWebhook::InvalidWebhookURL)
-        end
+      it "allows internal URLs when configured to do so" do
+        allow(ENV).to receive(:[]).
+          with("CODECLIMATE_ALLOW_INTERNAL_WEBHOOKS").
+          and_return("1")
 
-        it "raises for un-resolvable URL" do
-          allow(SafeWebhook).to receive(:getaddress).and_raise(Resolv::ResolvError)
+        stub_resolv("github.com", "10.0.1.18")
 
-          expect { validate("http://example.com") }.to raise_error(SafeWebhook::InvalidWebhookURL)
-        end
+        SafeWebhook.ensure_safe!("https://github.com/api/v1/user")
+      end
 
-        it "raises for localhost URLs" do
-          stub_resolv("example.com", "127.0.0.1")
+      it "allows non-internal URLs" do
+        stub_resolv("github.com", "1.1.1.2")
 
-          expect { validate("http://example.com") }.to raise_error(SafeWebhook::InvalidWebhookURL)
-        end
+        SafeWebhook.ensure_safe!("https://github.com/api/v1/user")
+      end
 
-        it "raises for internal URLs" do
-          stub_resolv("example.com", "10.0.0.1")
+      it "ensures future dns queries get the same answer" do
+        stub_resolv("github.com", "1.1.1.3")
 
-          expect { validate("http://example.com") }.to raise_error(SafeWebhook::InvalidWebhookURL)
-        end
+        SafeWebhook.ensure_safe!("https://github.com/api/v1/user")
 
-        def validate(url)
-          request = double
-          safe_webhook = SafeWebhook.new(url)
-          safe_webhook.validate!(request)
-        end
+        expect(Resolv.getaddress("github.com").to_s).to eq "1.1.1.3"
       end
     end
   end

data/spec/cc/service_spec.rb

@@ -32,42 +32,42 @@ describe CC::Service, type: :service do
   it "post success" do
     stub_http("/my/test/url", [200, {}, '{"ok": true, "thing": "123"}'])
 
-    response = service_post("/my/test/url", { token: "1234" }.to_json, {}) do |inner_response|
+    response = service_post("http://example.com/my/test/url", { token: "1234" }.to_json, {}) do |inner_response|
       body = JSON.parse(inner_response.body)
       { thing: body["thing"] }
     end
 
     expect(response[:ok]).to eq(true)
     expect(response[:params]).to eq('{"token":"1234"}')
-    expect(response[:endpoint_url]).to eq("/my/test/url")
+    expect(response[:endpoint_url]).to eq("http://example.com/my/test/url")
     expect(response[:status]).to eq(200)
   end
 
   it "post redirect success" do
-    stub_http("/my/test/url", [307, { "Location" => "/my/redirect/url" }, '{"ok": false, "redirect": true}'])
+    stub_http("/my/test/url", [307, { "Location" => "http://example.com/my/redirect/url" }, '{"ok": false, "redirect": true}'])
     stub_http("/my/redirect/url", [200, {}, '{"ok": true, "thing": "123"}'])
 
-    response = service_post_with_redirects("/my/test/url", { token: "1234" }.to_json, {}) do |inner_response|
+    response = service_post_with_redirects("http://example.com/my/test/url", { token: "1234" }.to_json, {}) do |inner_response|
       body = JSON.parse(inner_response.body)
       { thing: body["thing"] }
     end
 
     expect(response[:ok]).to eq(true)
     expect(response[:params]).to eq('{"token":"1234"}')
-    expect(response[:endpoint_url]).to eq("/my/test/url")
+    expect(response[:endpoint_url]).to eq("http://example.com/my/test/url")
     expect(response[:status]).to eq(200)
   end
 
   it "post http failure" do
     stub_http("/my/wrong/url", [404, {}, ""])
 
-    expect { service_post("/my/wrong/url", { token: "1234" }.to_json, {}) }.to raise_error(CC::Service::HTTPError)
+    expect { service_post("http://example.com/my/wrong/url", { token: "1234" }.to_json, {}) }.to raise_error(CC::Service::HTTPError)
   end
 
   it "post some other failure" do
     stub_http("/my/wrong/url") { raise ArgumentError, "lol" }
 
-    expect { service_post("/my/wrong/url", { token: "1234" }.to_json, {}) }.to raise_error(ArgumentError)
+    expect { service_post("http://example.com/my/wrong/url", { token: "1234" }.to_json, {}) }.to raise_error(ArgumentError)
   end
 
   it "services" do

data/spec/spec_helper.rb

@@ -1,5 +1,7 @@
-require "codeclimate-test-reporter"
-CodeClimate::TestReporter.start
+require "simplecov"
+SimpleCov.start do
+  add_filter "/spec/"
+end
 
 cwd = File.expand_path(File.dirname(__FILE__))
 require "#{cwd}/../config/load"
@@ -34,8 +36,8 @@ RSpec.configure do |config|
   # This setting enables warnings. It's recommended, but in some cases may
   # be too noisy due to issues in dependencies.
   config.warnings = true
-
-  config.before(:each) do
+  config.before do
+    # Disable actual DNS resolution during specs by default
     stub_resolv(anything, "1.1.1.1")
   end
 end

data/spec/support/resolv_helpers.rb

@@ -0,0 +1,10 @@
+module ResolvHelpers
+  def stub_resolv(name, address)
+    allow(CC::Service::SafeWebhook).to receive(:getaddress).
+      with(name).and_return(Resolv::IPv4.create(address))
+  end
+end
+
+RSpec.configure do |conf|
+  conf.include(ResolvHelpers)
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: codeclimate-services
 version: !ruby/object:Gem::Version
-  version: 1.8.0
+  version: 1.9.0
 platform: ruby
 authors:
 - Bryan Helmkamp
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-09-26 00:00:00.000000000 Z
+date: 2016-10-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -94,20 +94,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.6.2
-- !ruby/object:Gem::Dependency
-  name: codeclimate-test-reporter
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -158,10 +144,12 @@ files:
 - bin/nokogiri
 - bin/pry
 - bin/rake
+- circle.yml
 - codeclimate-services.gemspec
 - config/cacert.pem
 - config/load.rb
 - lib/axiom/types/password.rb
+- lib/cc/fixed_resolv.rb
 - lib/cc/formatters/linked_formatter.rb
 - lib/cc/formatters/plain_formatter.rb
 - lib/cc/formatters/snapshot_formatter.rb
@@ -225,7 +213,7 @@ files:
 - spec/fixtures.rb
 - spec/spec_helper.rb
 - spec/support/fake_logger.rb
-- spec/support/resolv_helper.rb
+- spec/support/resolv_helpers.rb
 - spec/support/service_context.rb
 homepage: ''
 licenses:
@@ -276,5 +264,5 @@ test_files:
 - spec/fixtures.rb
 - spec/spec_helper.rb
 - spec/support/fake_logger.rb
-- spec/support/resolv_helper.rb
+- spec/support/resolv_helpers.rb
 - spec/support/service_context.rb

data/spec/support/resolv_helper.rb

@@ -1,10 +0,0 @@
-module ResolvHelper
-  def stub_resolv(host, address)
-    allow(CC::Service::SafeWebhook).to receive(:getaddress).
-      with(host).and_return(address)
-  end
-end
-
-RSpec.configure do |conf|
-  conf.include ResolvHelper
-end