Commit 8fae6a3d authored by Sean McGivern's avatar Sean McGivern Committed by DJ Mountney

Merge branch 'open-redirect-fix-continue-to' into 'security'

Fix for open redirect vuln involving continue[to] params

See merge request !2083
parent 191e748c
...@@ -7,6 +7,7 @@ module ContinueParams ...@@ -7,6 +7,7 @@ module ContinueParams
continue_params = continue_params.permit(:to, :notice, :notice_now) continue_params = continue_params.permit(:to, :notice, :notice_now)
return unless continue_params[:to] && continue_params[:to].start_with?('/') return unless continue_params[:to] && continue_params[:to].start_with?('/')
return if continue_params[:to].start_with?('//')
continue_params continue_params
end end
......
---
title: Fix for open redirect vulnerability using continue[to] in URL when requesting project import status.
merge_request:
author:
...@@ -96,12 +96,19 @@ describe Projects::ImportsController do ...@@ -96,12 +96,19 @@ describe Projects::ImportsController do
} }
end end
it 'redirects to params[:to]' do it 'redirects to internal params[:to]' do
get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, continue: params get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, continue: params
expect(flash[:notice]).to eq params[:notice] expect(flash[:notice]).to eq params[:notice]
expect(response).to redirect_to params[:to] expect(response).to redirect_to params[:to]
end end
it 'does not redirect to external params[:to]' do
params[:to] = "//google.com"
get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, continue: params
expect(response).not_to redirect_to params[:to]
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment