Commit 8331786c authored by Douwe Maan's avatar Douwe Maan

Merge branch '32059-fix-oauth-phishing' into 'master'

Prevent OAuth phishing attack by presenting detailed wording about app to user during authorization

See merge request gitlab-org/gitlab-ce!15311
parents 2cfcb9be 24a3bee0
...@@ -249,3 +249,22 @@ ...@@ -249,3 +249,22 @@
} }
} }
} }
.modal-doorkeepr-auth,
.doorkeeper-app-form {
.scope-description {
color: $theme-gray-700;
}
}
.modal-doorkeepr-auth {
.modal-body {
padding: $gl-padding;
}
}
.doorkeeper-app-form {
.scope-description {
margin: 0 0 5px 17px;
}
}
= form_for application, url: doorkeeper_submit_path(application), html: {role: 'form'} do |f| = form_for application, url: doorkeeper_submit_path(application), html: { role: 'form', class: 'doorkeeper-app-form' } do |f|
= form_errors(application) = form_errors(application)
.form-group .form-group
......
- auth_app_owner = @pre_auth.client.application.owner
%main{ :role => "main" } %main{ :role => "main" }
.modal-no-backdrop .modal-no-backdrop.modal-doorkeepr-auth
.modal-content .modal-content
.modal-header .modal-header
%h3.page-title %h3.page-title
...@@ -16,14 +18,21 @@ ...@@ -16,14 +18,21 @@
%strong= @pre_auth.client.name %strong= @pre_auth.client.name
will allow them to interact with GitLab as an admin as well. Proceed with caution. will allow them to interact with GitLab as an admin as well. Proceed with caution.
%p %p
You are about to authorize An application called
= link_to @pre_auth.client.name, @pre_auth.redirect_uri, target: '_blank', rel: 'noopener noreferrer' = link_to @pre_auth.client.name, @pre_auth.redirect_uri, target: '_blank', rel: 'noopener noreferrer'
to use your account. is requesting access to your GitLab account. This application was created by
= succeed "." do
= link_to auth_app_owner.name, user_path(auth_app_owner)
Please note that this application is not provided by GitLab and you should verify its authenticity before
allowing access.
- if @pre_auth.scopes - if @pre_auth.scopes
%p
This application will be able to: This application will be able to:
%ul %ul
- @pre_auth.scopes.each do |scope| - @pre_auth.scopes.each do |scope|
%li= t scope, scope: [:doorkeeper, :scopes] %li
%strong= t scope, scope: [:doorkeeper, :scopes]
.scope-description= t scope, scope: [:doorkeeper, :scope_desc]
.form-actions.text-right .form-actions.text-right
= form_tag oauth_authorization_path, method: :delete, class: 'inline' do = form_tag oauth_authorization_path, method: :delete, class: 'inline' do
= hidden_field_tag :client_id, @pre_auth.client.uid = hidden_field_tag :client_id, @pre_auth.client.uid
......
...@@ -7,3 +7,4 @@ ...@@ -7,3 +7,4 @@
= check_box_tag "#{prefix}[scopes][]", scope, token.scopes.include?(scope), id: "#{prefix}_scopes_#{scope}" = check_box_tag "#{prefix}[scopes][]", scope, token.scopes.include?(scope), id: "#{prefix}_scopes_#{scope}"
= label_tag ("#{prefix}_scopes_#{scope}"), scope = label_tag ("#{prefix}_scopes_#{scope}"), scope
%span= t(scope, scope: [:doorkeeper, :scopes]) %span= t(scope, scope: [:doorkeeper, :scopes])
.scope-description= t scope, scope: [:doorkeeper, :scope_desc]
---
title: Prevent OAuth phishing attack by presenting detailed wording about app to user
during authorization
merge_request:
author:
type: security
...@@ -62,7 +62,15 @@ en: ...@@ -62,7 +62,15 @@ en:
read_user: Read the authenticated user's personal information read_user: Read the authenticated user's personal information
openid: Authenticate using OpenID Connect openid: Authenticate using OpenID Connect
sudo: Perform API actions as any user in the system (if the authenticated user is an admin) sudo: Perform API actions as any user in the system (if the authenticated user is an admin)
scope_desc:
api:
Full access to GitLab as the user, including read/write on all their groups and projects
read_user:
Read-only access to the user's profile information, like username, public email and full name
openid:
The ability to authenticate using GitLab, and read-only access to the user's profile information
sudo:
Access to the Sudo feature, to perform API actions as any user in the system (only available for admins)
flash: flash:
applications: applications:
create: create:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment