Bug 1492639 Add destination checks to bouncer validation r=mtabara

Reviewers: mtabara Reviewed By: mtabara Subscribers: bhearsum, sfraser, catlee, mtabara Tags: #secure-revision, #bmo-releng-security Bug #: 1492639 Differential Revision: https://phabricator.services.mozilla.com/D8189 --HG-- extra : rebase_source : aee00eb82e67ac028238470e29b462f324c177b4
2024-11-24 13:21:05 +00:00 · 2018-10-10 15:00:18 +01:00 · 2018-10-10 15:00:18 +01:00 · 8bd61a2e25
commit 8bd61a2e25
parent 21fb9471be
3 changed files with 23 additions and 0 deletions
--- a/.cron.yml
+++ b/.cron.yml
@ -119,6 +119,9 @@ jobs:
              mozilla-release:
                  - {hour: 7, minute: 0}
                  - {hour: 19, minute: 0}
+              mozilla-esr60:
+                  - {hour: 7, minute: 0}
+                  - {hour: 19, minute: 0}

    - name: periodic-update
      job:
--- a/taskcluster/ci/cron-bouncer-check/kind.yml
+++ b/taskcluster/ci/cron-bouncer-check/kind.yml
@ -51,6 +51,7 @@ jobs:
                by-project:
                    mozilla-beta: LATEST_FIREFOX_RELEASED_DEVEL_VERSION
                    mozilla-release: LATEST_FIREFOX_VERSION
+                    mozilla-esr60: FIREFOX_ESR
                    default: LATEST_FIREFOX_DEVEL_VERSION
            products-url: https://product-details.mozilla.org/1.0/firefox_versions.json
        treeherder:
--- a/testing/mozharness/scripts/release/bouncer_check.py
+++ b/testing/mozharness/scripts/release/bouncer_check.py
@ -101,6 +101,18 @@ class BouncerCheck(BaseScript, VirtualenvMixin):

    def check_url(self, session, url):
        from redo import retry
+        try:
+            from urllib.parse import urlparse
+        except ImportError:
+            # Python 2
+            from urlparse import urlparse
+
+        mozilla_locations = [
+            'download-installer.cdn.mozilla.net',
+            'download.cdn.mozilla.net',
+            'download.mozilla.org',
+            'archive.mozilla.org',
+        ]

        def do_check_url():
            self.log("Checking {}".format(url))
@ -111,6 +123,13 @@ class BouncerCheck(BaseScript, VirtualenvMixin):
                self.warning("FAIL: {}, status: {}".format(url, r.status_code))
                raise

+            final_url = urlparse(r.url)
+            if final_url.scheme != 'https':
+                self.warning('FAIL: URL scheme is not https: {}'.format(r.url))
+
+            if final_url.netloc not in mozilla_locations:
+                self.warning('FAIL: host not in allowed locations: {}'.format(r.url))
+
        retry(do_check_url, sleeptime=3, max_sleeptime=10, attempts=3)

    def get_urls(self):