Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
f2932885
Commit
f2932885
authored
Oct 06, 2017
by
Shinya Maeda
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Security fix: redirection in google_api/authorizations_controller
parent
5ced761e
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
57 additions
and
13 deletions
+57
-13
app/controllers/google_api/authorizations_controller.rb
app/controllers/google_api/authorizations_controller.rb
+7
-2
app/controllers/projects/clusters_controller.rb
app/controllers/projects/clusters_controller.rb
+7
-3
lib/google_api/cloud_platform/client.rb
lib/google_api/cloud_platform/client.rb
+5
-0
spec/controllers/google_api/authorizations_controller_spec.rb
.../controllers/google_api/authorizations_controller_spec.rb
+15
-8
spec/lib/google_api/cloud_platform/client_spec.rb
spec/lib/google_api/cloud_platform/client_spec.rb
+23
-0
No files found.
app/controllers/google_api/authorizations_controller.rb
View file @
f2932885
...
@@ -9,8 +9,13 @@ module GoogleApi
...
@@ -9,8 +9,13 @@ module GoogleApi
session
[
GoogleApi
::
CloudPlatform
::
Client
.
session_key_for_expires_at
]
=
session
[
GoogleApi
::
CloudPlatform
::
Client
.
session_key_for_expires_at
]
=
expires_at
.
to_s
expires_at
.
to_s
if
params
[
:state
].
present?
key
,
_
=
GoogleApi
::
CloudPlatform
::
Client
redirect_to
params
[
:state
]
.
session_key_for_second_redirect_uri
(
secure:
params
[
:state
])
second_redirect_uri
=
session
[
key
]
if
second_redirect_uri
.
present?
redirect_to
second_redirect_uri
else
else
redirect_to
root_path
redirect_to
root_path
end
end
...
...
app/controllers/projects/clusters_controller.rb
View file @
f2932885
...
@@ -16,9 +16,13 @@ class Projects::ClustersController < Projects::ApplicationController
...
@@ -16,9 +16,13 @@ class Projects::ClustersController < Projects::ApplicationController
def
login
def
login
begin
begin
@authorize_url
=
GoogleApi
::
CloudPlatform
::
Client
.
new
(
GoogleApi
::
CloudPlatform
::
Client
.
session_key_for_second_redirect_uri
.
tap
do
|
key
,
secure
|
nil
,
callback_google_api_auth_url
,
session
[
key
]
=
namespace_project_clusters_url
.
to_s
state:
namespace_project_clusters_url
.
to_s
).
authorize_url
@authorize_url
=
GoogleApi
::
CloudPlatform
::
Client
.
new
(
nil
,
callback_google_api_auth_url
,
state:
secure
).
authorize_url
end
rescue
GoogleApi
::
Auth
::
ConfigMissingError
rescue
GoogleApi
::
Auth
::
ConfigMissingError
# no-op
# no-op
end
end
...
...
lib/google_api/cloud_platform/client.rb
View file @
f2932885
...
@@ -15,6 +15,11 @@ module GoogleApi
...
@@ -15,6 +15,11 @@ module GoogleApi
def
session_key_for_expires_at
def
session_key_for_expires_at
:cloud_platform_expires_at
:cloud_platform_expires_at
end
end
def
session_key_for_second_redirect_uri
(
secure:
nil
)
secure
=
SecureRandom
.
hex
unless
secure
return
"cloud_platform_second_redirect_uri_
#{
secure
}
"
,
secure
end
end
end
def
scope
def
scope
...
...
spec/controllers/google_api/authorizations_controller_spec.rb
View file @
f2932885
...
@@ -3,12 +3,10 @@ require 'spec_helper'
...
@@ -3,12 +3,10 @@ require 'spec_helper'
describe
GoogleApi
::
AuthorizationsController
do
describe
GoogleApi
::
AuthorizationsController
do
describe
'GET|POST #callback'
do
describe
'GET|POST #callback'
do
let
(
:user
)
{
create
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:project
)
{
create
(
:project
)
}
let
(
:state
)
{
project_clusters_url
(
project
).
to_s
}
let
(
:token
)
{
'token'
}
let
(
:token
)
{
'token'
}
let
(
:expires_at
)
{
1
.
hour
.
since
.
strftime
(
'%s'
)
}
let
(
:expires_at
)
{
1
.
hour
.
since
.
strftime
(
'%s'
)
}
subject
{
get
:callback
,
code:
'xxx'
,
state:
state
}
subject
{
get
:callback
,
code:
'xxx'
,
state:
@
state
}
before
do
before
do
sign_in
(
user
)
sign_in
(
user
)
...
@@ -17,7 +15,7 @@ describe GoogleApi::AuthorizationsController do
...
@@ -17,7 +15,7 @@ describe GoogleApi::AuthorizationsController do
.
to
receive
(
:get_token
).
and_return
([
token
,
expires_at
])
.
to
receive
(
:get_token
).
and_return
([
token
,
expires_at
])
end
end
it
'sets token and expires_atin session'
do
it
'sets token and expires_at
in session'
do
subject
subject
expect
(
session
[
GoogleApi
::
CloudPlatform
::
Client
.
session_key_for_token
])
expect
(
session
[
GoogleApi
::
CloudPlatform
::
Client
.
session_key_for_token
])
...
@@ -26,15 +24,24 @@ describe GoogleApi::AuthorizationsController do
...
@@ -26,15 +24,24 @@ describe GoogleApi::AuthorizationsController do
.
to
eq
(
expires_at
)
.
to
eq
(
expires_at
)
end
end
context
'when redirection url is stored in state'
do
context
'when second redirection url key is stored in state'
do
set
(
:project
)
{
create
(
:project
)
}
let
(
:second_redirect_uri
)
{
namespace_project_clusters_url
(
project
.
namespace
,
project
).
to_s
}
# TODO: revrt
before
do
GoogleApi
::
CloudPlatform
::
Client
.
session_key_for_second_redirect_uri
.
tap
do
|
key
,
secure
|
@state
=
secure
session
[
key
]
=
second_redirect_uri
end
end
it
'redirects to the URL stored in state param'
do
it
'redirects to the URL stored in state param'
do
expect
(
subject
).
to
redirect_to
(
s
tate
)
expect
(
subject
).
to
redirect_to
(
s
econd_redirect_uri
)
end
end
end
end
context
'when redirection url is not stored in state'
do
context
'when redirection url is not stored in state'
do
let
(
:state
)
{
''
}
it
'redirects to root_path'
do
it
'redirects to root_path'
do
expect
(
subject
).
to
redirect_to
(
root_path
)
expect
(
subject
).
to
redirect_to
(
root_path
)
end
end
...
...
spec/lib/google_api/cloud_platform/client_spec.rb
View file @
f2932885
...
@@ -4,6 +4,29 @@ describe GoogleApi::CloudPlatform::Client do
...
@@ -4,6 +4,29 @@ describe GoogleApi::CloudPlatform::Client do
let
(
:token
)
{
'token'
}
let
(
:token
)
{
'token'
}
let
(
:client
)
{
described_class
.
new
(
token
,
nil
)
}
let
(
:client
)
{
described_class
.
new
(
token
,
nil
)
}
describe
'.session_key_for_second_redirect_uri'
do
subject
{
described_class
.
session_key_for_second_redirect_uri
(
secure:
secure
)
}
context
'when pass a postfix'
do
let
(
:secure
)
{
SecureRandom
.
hex
}
it
'creates a required session key'
do
key
,
_
=
described_class
.
session_key_for_second_redirect_uri
(
secure:
secure
)
expect
(
key
).
to
eq
(
"cloud_platform_second_redirect_uri_
#{
secure
}
"
)
end
end
context
'when pass a postfix'
do
let
(
:secure
)
{
nil
}
it
'creates a new session key'
do
key
,
secure
=
described_class
.
session_key_for_second_redirect_uri
expect
(
key
).
to
include
(
'cloud_platform_second_redirect_uri_'
)
expect
(
secure
).
not_to
be_nil
end
end
end
describe
'#validate_token'
do
describe
'#validate_token'
do
subject
{
client
.
validate_token
(
expires_at
)
}
subject
{
client
.
validate_token
(
expires_at
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment