Merge branch 'ce-to-ee-2018-06-22' into 'master'

CE upstream - 2018-06-22 09:21 UTC See merge request gitlab-org/gitlab-ee!6237

Merge branch 'ce-to-ee-2018-06-22' into 'master'
CE upstream - 2018-06-22 09:21 UTC See merge request gitlab-org/gitlab-ee!6237
4e7d3451 · Achilleas Pipinellis · 30dfd066 · 4e96258b · 4e7d3451 · 4e7d3451
Commit 4e7d3451 authored Jun 22, 2018 by Achilleas Pipinellis
6 changed files
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -27,7 +27,7 @@ class ApplicationController < ActionController::Base

  after_action :set_page_title_header, if: -> { request.format == :json }

-  protect_from_forgery with: :exception
+  protect_from_forgery with: :exception, prepend: true

  helper_method :can?
  helper_method :import_sources_enabled?, :github_import_enabled?, :gitea_import_enabled?, :github_import_configured?, :gitlab_import_enabled?, :gitlab_import_configured?, :bitbucket_import_enabled?, :bitbucket_import_configured?, :google_code_import_enabled?, :fogbugz_import_enabled?, :git_import_enabled?, :gitlab_project_import_enabled?

--- a/app/controllers/health_controller.rb
+++ b/app/controllers/health_controller.rb
 class HealthController < ActionController::Base
-  protect_from_forgery with: :exception, except: :storage_check
+  protect_from_forgery with: :exception, except: :storage_check, prepend: true
  include RequiresWhitelistedMonitoringClient

  CHECKS = [

--- a/app/controllers/metrics_controller.rb
+++ b/app/controllers/metrics_controller.rb
 class MetricsController < ActionController::Base
  include RequiresWhitelistedMonitoringClient

-  protect_from_forgery with: :exception
+  protect_from_forgery with: :exception, prepend: true

  def index
    response = if Gitlab::Metrics.prometheus_metrics_enabled?

--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -3,7 +3,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
  include Devise::Controllers::Rememberable
  prepend EE::OmniauthCallbacksController

-  protect_from_forgery except: [:kerberos, :saml, :cas3]
+  protect_from_forgery except: [:kerberos, :saml, :cas3], prepend: true

  def handle_omniauth
    omniauth_flow(Gitlab::Auth::OAuth)

--- a/changelogs/unreleased/blackst0ne-fix-protect-from-forgery-in-application-controller.yml
+++ b/changelogs/unreleased/blackst0ne-fix-protect-from-forgery-in-application-controller.yml
+---
+title: "[Rails5] Force the callback run first"
+merge_request: 20055
+author: "@blackst0ne"
+type: fixed
--- a/lib/gitlab/request_forgery_protection.rb
+++ b/lib/gitlab/request_forgery_protection.rb
@@ -5,7 +5,7 @@
 module Gitlab
  module RequestForgeryProtection
    class Controller < ActionController::Base
-      protect_from_forgery with: :exception
+      protect_from_forgery with: :exception, prepend: true

      rescue_from ActionController::InvalidAuthenticityToken do |e|
        logger.warn "This CSRF token verification failure is handled internally by `GitLab::RequestForgeryProtection`"