[Backport] Fixing bad origin configuration for gitlab and bitbucket

2016-02-10 14:20:30 +01:00 · 2016-02-10 14:20:30 +01:00 · b74f226a8a
parent b48d514271
commit b74f226a8a
4 changed files with 87 additions and 2 deletions
--- a/taiga/hooks/bitbucket/api.py
+++ b/taiga/hooks/bitbucket/api.py
@ -63,7 +63,7 @@ class BitBucketViewSet(BaseWebhookApiViewSet):
            try:
                mathching_origin_ip = len(all_matching_cidrs(origin_ip,valid_origin_ips)) > 0

-            except AddrFormatError:
+            except(AddrFormatError, ValueError):
                mathching_origin_ip = False

        if not mathching_origin_ip:
--- a/taiga/hooks/gitlab/api.py
+++ b/taiga/hooks/gitlab/api.py
@ -61,7 +61,7 @@ class GitLabViewSet(BaseWebhookApiViewSet):
            try:
                mathching_origin_ip = len(all_matching_cidrs(origin_ip,valid_origin_ips)) > 0

-            except AddrFormatError:
+            except (AddrFormatError, ValueError):
                mathching_origin_ip = False

        if not mathching_origin_ip:
--- a/tests/integration/test_hooks_bitbucket.py
+++ b/tests/integration/test_hooks_bitbucket.py
@ -80,6 +80,48 @@ def test_ok_signature_ip_in_network(client):
    assert response.status_code == 204


+def test_ok_signature_invalid_network(client):
+    project = f.ProjectFactory()
+    f.ProjectModulesConfigFactory(project=project, config={
+        "bitbucket": {
+            "secret": "tpnIwJDz4e",
+            "valid_origin_ips": ["131.103.20.160/27;165.254.145.0/26;104.192.143.0/24"],
+        }
+    })
+
+    url = reverse("bitbucket-hook-list")
+    url = "{}?project={}&key={}".format(url, project.id, "tpnIwJDz4e")
+    data = json.dumps({"push": {"changes": [{"new": {"target": { "message": "test message"}}}]}})
+    response = client.post(url,
+                           data,
+                           content_type="application/json",
+                           HTTP_X_EVENT_KEY="repo:push",
+                           REMOTE_ADDR="104.192.143.193")
+
+    assert response.status_code == 400
+    assert "Bad signature" in response.data["_error_message"]
+
+
+def test_blocked_project(client):
+    project = f.ProjectFactory(blocked_code=project_choices.BLOCKED_BY_STAFF)
+    f.ProjectModulesConfigFactory(project=project, config={
+        "bitbucket": {
+            "secret": "tpnIwJDz4e"
+        }
+    })
+
+    url = reverse("bitbucket-hook-list")
+    url = "{}?project={}&key={}".format(url, project.id, "tpnIwJDz4e")
+    data = json.dumps({"push": {"changes": [{"new": {"target": { "message": "test message"}}}]}})
+    response = client.post(url,
+                           data,
+                           content_type="application/json",
+                           HTTP_X_EVENT_KEY="repo:push",
+                           REMOTE_ADDR=settings.BITBUCKET_VALID_ORIGIN_IPS[0])
+
+    assert response.status_code == 451
+
+
 def test_invalid_ip(client):
    project = f.ProjectFactory()
    f.ProjectModulesConfigFactory(project=project, config={
--- a/tests/integration/test_hooks_gitlab.py
+++ b/tests/integration/test_hooks_gitlab.py
@ -96,6 +96,49 @@ def test_ok_signature_ip_in_network(client):
    assert response.status_code == 204


+def test_ok_signature_invalid_network(client):
+    project = f.ProjectFactory()
+    f.ProjectModulesConfigFactory(project=project, config={
+        "gitlab": {
+            "secret": "tpnIwJDz4e",
+            "valid_origin_ips": ["131.103.20.160/27;165.254.145.0/26;104.192.143.0/24"],
+        }
+    })
+
+    url = reverse("gitlab-hook-list")
+    url = "{}?project={}&key={}".format(url, project.id, "tpnIwJDz4e")
+    data = json.dumps({"push": {"changes": [{"new": {"target": { "message": "test message"}}}]}})
+    response = client.post(url,
+                           data,
+                           content_type="application/json",
+                           HTTP_X_EVENT_KEY="repo:push",
+                           REMOTE_ADDR="104.192.143.193")
+
+    assert response.status_code == 400
+    assert "Bad signature" in response.data["_error_message"]
+
+
+
+def test_blocked_project(client):
+    project = f.ProjectFactory(blocked_code=project_choices.BLOCKED_BY_STAFF)
+    f.ProjectModulesConfigFactory(project=project, config={
+        "gitlab": {
+            "secret": "tpnIwJDz4e",
+            "valid_origin_ips": ["111.111.111.111"],
+        }
+    })
+
+    url = reverse("gitlab-hook-list")
+    url = "{}?project={}&key={}".format(url, project.id, "tpnIwJDz4e")
+    data = {"test:": "data"}
+    response = client.post(url,
+                           json.dumps(data),
+                           content_type="application/json",
+                           REMOTE_ADDR="111.111.111.111")
+
+    assert response.status_code == 451
+
+
 def test_invalid_ip(client):
    project = f.ProjectFactory()
    f.ProjectModulesConfigFactory(project=project, config={