Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
b9cee4ba
Commit
b9cee4ba
authored
Aug 30, 2018
by
Stan Hu
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Set issuable_sort and diff_view cookies to secure when possible
Closes #49120
parent
ba99dfcd
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
52 additions
and
5 deletions
+52
-5
app/controllers/concerns/issuable_collections.rb
app/controllers/concerns/issuable_collections.rb
+8
-4
app/controllers/projects/application_controller.rb
app/controllers/projects/application_controller.rb
+2
-1
app/helpers/cookies_helper.rb
app/helpers/cookies_helper.rb
+9
-0
changelogs/unreleased/sh-set-secure-cookies.yml
changelogs/unreleased/sh-set-secure-cookies.yml
+5
-0
spec/controllers/concerns/issuable_collections_spec.rb
spec/controllers/concerns/issuable_collections_spec.rb
+28
-0
No files found.
app/controllers/concerns/issuable_collections.rb
View file @
b9cee4ba
module
IssuableCollections
module
IssuableCollections
extend
ActiveSupport
::
Concern
extend
ActiveSupport
::
Concern
include
CookiesHelper
include
SortingHelper
include
SortingHelper
include
Gitlab
::
IssuableMetadata
include
Gitlab
::
IssuableMetadata
include
Gitlab
::
Utils
::
StrongMemoize
include
Gitlab
::
Utils
::
StrongMemoize
...
@@ -107,11 +108,14 @@ module IssuableCollections
...
@@ -107,11 +108,14 @@ module IssuableCollections
end
end
def
set_sort_order_from_cookie
def
set_sort_order_from_cookie
cookies
[
remember_sorting_key
]
=
params
[
:sort
]
if
params
[
:sort
].
present?
sort_param
=
params
[
:sort
]
if
params
[
:sort
].
present?
# fallback to legacy cookie value for backward compatibility
# fallback to legacy cookie value for backward compatibility
cookies
[
remember_sorting_key
]
||=
cookies
[
'issuable_sort'
]
sort_param
||=
cookies
[
'issuable_sort'
]
cookies
[
remember_sorting_key
]
=
update_cookie_value
(
cookies
[
remember_sorting_key
])
sort_param
||=
cookies
[
remember_sorting_key
]
params
[
:sort
]
=
cookies
[
remember_sorting_key
]
sort_value
=
update_cookie_value
(
sort_param
)
set_secure_cookie
(
remember_sorting_key
,
sort_value
)
params
[
:sort
]
=
sort_value
end
end
def
remember_sorting_key
def
remember_sorting_key
...
...
app/controllers/projects/application_controller.rb
View file @
b9cee4ba
class
Projects::ApplicationController
<
ApplicationController
class
Projects::ApplicationController
<
ApplicationController
include
CookiesHelper
include
RoutableActions
include
RoutableActions
include
ChecksCollaboration
include
ChecksCollaboration
...
@@ -74,7 +75,7 @@ class Projects::ApplicationController < ApplicationController
...
@@ -74,7 +75,7 @@ class Projects::ApplicationController < ApplicationController
end
end
def
apply_diff_view_cookie!
def
apply_diff_view_cookie!
cookies
.
permanent
[
:diff_view
]
=
params
.
delete
(
:view
)
if
params
[
:view
].
present?
set_secure_cookie
(
:diff_view
,
params
.
delete
(
:view
),
permanent:
true
)
if
params
[
:view
].
present?
end
end
def
require_pages_enabled!
def
require_pages_enabled!
...
...
app/helpers/cookies_helper.rb
0 → 100644
View file @
b9cee4ba
# frozen_string_literal: true
module
CookiesHelper
def
set_secure_cookie
(
key
,
value
,
httponly:
false
,
permanent:
false
)
cookie_jar
=
permanent
?
cookies
.
permanent
:
cookies
cookie_jar
[
key
]
=
{
value:
value
,
secure:
Gitlab
.
config
.
gitlab
.
https
,
httponly:
httponly
}
end
end
changelogs/unreleased/sh-set-secure-cookies.yml
0 → 100644
View file @
b9cee4ba
---
title
:
Set issuable_sort, diff_view, and perf_bar_enabled cookies to secure when possible
merge_request
:
21442
author
:
type
:
security
spec/controllers/concerns/issuable_collections_spec.rb
View file @
b9cee4ba
...
@@ -21,6 +21,34 @@ describe IssuableCollections do
...
@@ -21,6 +21,34 @@ describe IssuableCollections do
controller
controller
end
end
describe
'#set_set_order_from_cookie'
do
describe
'when sort param given'
do
let
(
:cookies
)
{
{}
}
let
(
:params
)
{
{
sort:
'downvotes_asc'
}
}
it
'sets the cookie with the right values and flags'
do
allow
(
controller
).
to
receive
(
:cookies
).
and_return
(
cookies
)
controller
.
send
(
:set_sort_order_from_cookie
)
expect
(
cookies
[
'issue_sort'
]).
to
eq
({
value:
'popularity'
,
secure:
false
,
httponly:
false
})
end
end
describe
'when cookie exists'
do
let
(
:cookies
)
{
{
'issue_sort'
=>
'id_asc'
}
}
let
(
:params
)
{
{}
}
it
'sets the cookie with the right values and flags'
do
allow
(
controller
).
to
receive
(
:cookies
).
and_return
(
cookies
)
controller
.
send
(
:set_sort_order_from_cookie
)
expect
(
cookies
[
'issue_sort'
]).
to
eq
({
value:
'created_asc'
,
secure:
false
,
httponly:
false
})
end
end
end
describe
'#page_count_for_relation'
do
describe
'#page_count_for_relation'
do
let
(
:params
)
{
{
state:
'opened'
}
}
let
(
:params
)
{
{
state:
'opened'
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment