Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
fab6a50f
Commit
fab6a50f
authored
Dec 12, 2018
by
James Edwards-Jones
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Prevent password sign in restriction bypass
parent
5396b2a8
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
47 additions
and
1 deletion
+47
-1
app/controllers/sessions_controller.rb
app/controllers/sessions_controller.rb
+9
-0
changelogs/unreleased/security-jej-prevent-web-sign-in-bypass.yml
...gs/unreleased/security-jej-prevent-web-sign-in-bypass.yml
+5
-0
spec/controllers/sessions_controller_spec.rb
spec/controllers/sessions_controller_spec.rb
+33
-1
No files found.
app/controllers/sessions_controller.rb
View file @
fab6a50f
...
...
@@ -18,6 +18,7 @@ class SessionsController < Devise::SessionsController
prepend_before_action
:store_redirect_uri
,
only:
[
:new
]
prepend_before_action
:ldap_servers
,
only:
[
:new
,
:create
]
prepend_before_action
:require_no_authentication_without_flash
,
only:
[
:new
,
:create
]
prepend_before_action
:ensure_password_authentication_enabled!
,
if: :password_based_login?
,
only:
[
:create
]
before_action
:auto_sign_in_with_provider
,
only:
[
:new
]
before_action
:load_recaptcha
...
...
@@ -138,6 +139,14 @@ class SessionsController < Devise::SessionsController
end
# rubocop: enable CodeReuse/ActiveRecord
def
ensure_password_authentication_enabled!
render_403
unless
Gitlab
::
CurrentSettings
.
password_authentication_enabled_for_web?
end
def
password_based_login?
user_params
[
:login
].
present?
||
user_params
[
:password
].
present?
end
def
user_params
params
.
require
(
:user
).
permit
(
:login
,
:password
,
:remember_me
,
:otp_attempt
,
:device_response
)
end
...
...
changelogs/unreleased/security-jej-prevent-web-sign-in-bypass.yml
0 → 100644
View file @
fab6a50f
---
title
:
Prevent bypass of restriction disabling web password sign in
merge_request
:
author
:
type
:
security
spec/controllers/sessions_controller_spec.rb
View file @
fab6a50f
...
...
@@ -58,7 +58,26 @@ describe SessionsController do
it
'authenticates user correctly'
do
post
(
:create
,
params:
{
user:
user_params
})
expect
(
subject
.
current_user
).
to
eq
user
expect
(
subject
.
current_user
).
to
eq
user
end
context
'with password authentication disabled'
do
before
do
stub_application_setting
(
password_authentication_enabled_for_web:
false
)
end
it
'does not sign in the user'
do
post
(
:create
,
params:
{
user:
user_params
})
expect
(
@request
.
env
[
'warden'
]).
not_to
be_authenticated
expect
(
subject
.
current_user
).
to
be_nil
end
it
'returns status 403'
do
post
(
:create
,
params:
{
user:
user_params
})
expect
(
response
.
status
).
to
eq
403
end
end
it
'creates an audit log record'
do
...
...
@@ -153,6 +172,19 @@ describe SessionsController do
end
end
context
'with password authentication disabled'
do
before
do
stub_application_setting
(
password_authentication_enabled_for_web:
false
)
end
it
'allows 2FA stage of non-password login'
do
authenticate_2fa
(
otp_attempt:
user
.
current_otp
)
expect
(
@request
.
env
[
'warden'
]).
to
be_authenticated
expect
(
subject
.
current_user
).
to
eq
user
end
end
##
# See #14900 issue
#
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment