Merge branch '32059-fix-oauth-phishing' into 'master'

Prevent OAuth phishing attack by presenting detailed wording about app to user during authorization

See merge request gitlab-org/gitlab-ce!15311

app/assets/stylesheets/pages/settings.scss

@@ -249,3 +249,22 @@
     }
   }
 }
+
+.modal-doorkeepr-auth,
+.doorkeeper-app-form {
+  .scope-description {
+    color: $theme-gray-700;
+  }
+}
+
+.modal-doorkeepr-auth {
+  .modal-body {
+    padding: $gl-padding;
+  }
+}
+
+.doorkeeper-app-form {
+  .scope-description {
+    margin: 0 0 5px 17px;
+  }
+}

app/views/doorkeeper/applications/_form.html.haml

-= form_for application, url: doorkeeper_submit_path(application), html: {role: 'form'} do |f|
+= form_for application, url: doorkeeper_submit_path(application), html: { role: 'form', class: 'doorkeeper-app-form' } do |f|
   = form_errors(application)
 
   .form-group

app/views/doorkeeper/authorizations/new.html.haml

+- auth_app_owner = @pre_auth.client.application.owner
+
 %main{ :role => "main" }
-  .modal-no-backdrop
+  .modal-no-backdrop.modal-doorkeepr-auth
     .modal-content
       .modal-header
         %h3.page-title
@@ -16,14 +18,21 @@
               %strong= @pre_auth.client.name
               will allow them to interact with GitLab as an admin as well. Proceed with caution.
         %p
-          You are about to authorize
+          An application called
           = link_to @pre_auth.client.name, @pre_auth.redirect_uri, target: '_blank', rel: 'noopener noreferrer'
-          to use your account.
-          - if @pre_auth.scopes
+          is requesting access to your GitLab account. This application was created by
+          = succeed "." do
+            = link_to auth_app_owner.name, user_path(auth_app_owner)
+          Please note that this application is not provided by GitLab and you should verify its authenticity before
+          allowing access.
+        - if @pre_auth.scopes
+          %p
             This application will be able to:
             %ul
               - @pre_auth.scopes.each do |scope|
-                %li= t scope, scope: [:doorkeeper, :scopes]
+                %li
+                  %strong= t scope, scope: [:doorkeeper, :scopes]
+                  .scope-description= t scope, scope: [:doorkeeper, :scope_desc]
         .form-actions.text-right
           = form_tag oauth_authorization_path, method: :delete, class: 'inline'  do
             = hidden_field_tag :client_id, @pre_auth.client.uid

app/views/shared/tokens/_scopes_form.html.haml

@@ -7,3 +7,4 @@
     = check_box_tag "#{prefix}[scopes][]", scope, token.scopes.include?(scope), id: "#{prefix}_scopes_#{scope}"
     = label_tag ("#{prefix}_scopes_#{scope}"), scope
     %span= t(scope, scope: [:doorkeeper, :scopes])
+    .scope-description= t scope, scope: [:doorkeeper, :scope_desc]

changelogs/unreleased/32059-fix-oauth-phishing.yml

+---
+title: Prevent OAuth phishing attack by presenting detailed wording about app to user
+  during authorization
+merge_request: 
+author:
+type: security

config/locales/doorkeeper.en.yml

@@ -62,7 +62,15 @@ en:
       read_user: Read the authenticated user's personal information
       openid: Authenticate using OpenID Connect
       sudo: Perform API actions as any user in the system (if the authenticated user is an admin)
-
+    scope_desc:
+      api:
+        Full access to GitLab as the user, including read/write on all their groups and projects
+      read_user:
+        Read-only access to the user's profile information, like username, public email and full name
+      openid:
+        The ability to authenticate using GitLab, and read-only access to the user's profile information
+      sudo:
+        Access to the Sudo feature, to perform API actions as any user in the system (only available for admins)
     flash:
       applications:
         create: