From 7e21011abb98790d822d532c690114966fba6bea Mon Sep 17 00:00:00 2001
From: Mike Kozono <mkozono@gitlab.com>
Date: Thu, 8 Apr 2021 09:46:29 -0700
Subject: [PATCH] Bump Carrierwave gem to v1.3.2

---
 Gemfile.lock                                                 | 4 +++-
 changelogs/unreleased/security-bump-carrierwave-to-1-3-2.yml | 5 +++++
 spec/services/projects/download_service_spec.rb              | 5 +++--
 3 files changed, 11 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/unreleased/security-bump-carrierwave-to-1-3-2.yml

diff --git a/Gemfile.lock b/Gemfile.lock
index fe83691544837..162170219cde2 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -177,10 +177,11 @@ GEM
     capybara-screenshot (1.0.22)
       capybara (>= 1.0, < 4)
       launchy
-    carrierwave (1.3.1)
+    carrierwave (1.3.2)
       activemodel (>= 4.0.0)
       activesupport (>= 4.0.0)
       mime-types (>= 1.16)
+      ssrf_filter (~> 1.0)
     cbor (0.5.9.6)
     character_set (1.4.0)
     charlock_holmes (0.7.7)
@@ -1210,6 +1211,7 @@ GEM
       sprockets (>= 3.0.0)
     sqlite3 (1.3.13)
     sshkey (2.0.0)
+    ssrf_filter (1.0.7)
     stackprof (0.2.15)
     state_machines (0.5.0)
     state_machines-activemodel (0.8.0)
diff --git a/changelogs/unreleased/security-bump-carrierwave-to-1-3-2.yml b/changelogs/unreleased/security-bump-carrierwave-to-1-3-2.yml
new file mode 100644
index 0000000000000..4e31f9d855d54
--- /dev/null
+++ b/changelogs/unreleased/security-bump-carrierwave-to-1-3-2.yml
@@ -0,0 +1,5 @@
+---
+title: Bump Carrierwave gem to v1.3.2
+merge_request:
+author:
+type: security
diff --git a/spec/services/projects/download_service_spec.rb b/spec/services/projects/download_service_spec.rb
index 0f743eaa7f55c..7d4fce814f5c2 100644
--- a/spec/services/projects/download_service_spec.rb
+++ b/spec/services/projects/download_service_spec.rb
@@ -20,8 +20,9 @@
 
     context 'for URLs that are on the whitelist' do
       before do
-        stub_request(:get, 'http://mycompany.fogbugz.com/rails_sample.jpg').to_return(body: File.read(Rails.root + 'spec/fixtures/rails_sample.jpg'))
-        stub_request(:get, 'http://mycompany.fogbugz.com/doc_sample.txt').to_return(body: File.read(Rails.root + 'spec/fixtures/doc_sample.txt'))
+        # `ssrf_filter` resolves the hostname. See https://github.com/carrierwaveuploader/carrierwave/commit/91714adda998bc9e8decf5b1f5d260d808761304
+        stub_request(:get, %r{http://[\d\.]+/rails_sample.jpg}).to_return(body: File.read(Rails.root + 'spec/fixtures/rails_sample.jpg'))
+        stub_request(:get, %r{http://[\d\.]+/doc_sample.txt}).to_return(body: File.read(Rails.root + 'spec/fixtures/doc_sample.txt'))
       end
 
       context 'an image file' do
-- 
GitLab