Merge branch 'security-fj-missing-csrf-system-hooks-11-1' into 'security-11-1'

[11.1] Missing CSRF in System Hooks See merge request gitlab/gitlabhq!2444

Merge branch 'security-fj-missing-csrf-system-hooks-11-1' into 'security-11-1'
[11.1] Missing CSRF in System Hooks See merge request gitlab/gitlabhq!2444
fe8b17ff · Felipe Artur Cardozo · Felipe Artur · 44318222 · fe8b17ff · fe8b17ff
Commit fe8b17ff authored Jul 24, 2018 by Felipe Artur Cardozo Committed by Felipe Artur Jul 24, 2018
6 changed files
--- a/app/helpers/hooks_helper.rb
+++ b/app/helpers/hooks_helper.rb
@@ -10,7 +10,7 @@ module HooksHelper

    trigger_human_name = trigger.to_s.tr('_', ' ').camelize

-    link_to path, rel: 'nofollow' do
+    link_to path, rel: 'nofollow', method: :post do
      content_tag(:span, trigger_human_name)
    end
  end

--- a/changelogs/unreleased/security-fj-missing-csrf-system-hooks.yml
+++ b/changelogs/unreleased/security-fj-missing-csrf-system-hooks.yml
+---
+title: Adding CSRF protection to Hooks test action
+merge_request:
+author:
+type: security
--- a/config/routes/admin.rb
+++ b/config/routes/admin.rb
@@ -54,7 +54,7 @@ namespace :admin do

  resources :hooks, only: [:index, :create, :edit, :update, :destroy] do
    member do
-      get :test
+      post :test
    end

    resources :hook_logs, only: [:show] do

--- a/config/routes/project.rb
+++ b/config/routes/project.rb
@@ -301,7 +301,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do

      resources :hooks, only: [:index, :create, :edit, :update, :destroy], constraints: { id: /\d+/ } do
        member do
-          get :test
+          post :test
        end

        resources :hook_logs, only: [:show] do

--- a/spec/routing/admin_routing_spec.rb
+++ b/spec/routing/admin_routing_spec.rb
@@ -79,7 +79,7 @@ end
 # edit_admin_hook GET    /admin/hooks/:id(.:format)           admin/hooks#edit
 describe Admin::HooksController, "routing" do
  it "to #test" do
-    expect(get("/admin/hooks/1/test")).to route_to('admin/hooks#test', id: '1')
+    expect(post("/admin/hooks/1/test")).to route_to('admin/hooks#test', id: '1')
  end

  it "to #index" do

--- a/spec/routing/project_routing_spec.rb
+++ b/spec/routing/project_routing_spec.rb
@@ -389,7 +389,7 @@ describe 'project routing' do
  #                   DELETE /:project_id/hooks/:id(.:format)      hooks#destroy
  describe Projects::HooksController, 'routing' do
    it 'to #test' do
-      expect(get('/gitlab/gitlabhq/hooks/1/test')).to route_to('projects/hooks#test', namespace_id: 'gitlab', project_id: 'gitlabhq', id: '1')
+      expect(post('/gitlab/gitlabhq/hooks/1/test')).to route_to('projects/hooks#test', namespace_id: 'gitlab', project_id: 'gitlabhq', id: '1')
    end

    it_behaves_like 'RESTful project resources' do