Merge branch 'open-redirect-fix-continue-to' into 'security'

Fix for open redirect vuln involving continue[to] params See merge request !2083

Merge branch 'open-redirect-fix-continue-to' into 'security'
Fix for open redirect vuln involving continue[to] params See merge request !2083
8fae6a3d · Sean McGivern · DJ Mountney · 191e748c · 8fae6a3d · 8fae6a3d
Commit 8fae6a3d authored Apr 05, 2017 by Sean McGivern Committed by DJ Mountney Apr 05, 2017
3 changed files
--- a/app/controllers/concerns/continue_params.rb
+++ b/app/controllers/concerns/continue_params.rb
@@ -7,6 +7,7 @@ module ContinueParams

    continue_params = continue_params.permit(:to, :notice, :notice_now)
    return unless continue_params[:to] && continue_params[:to].start_with?('/')
+    return if continue_params[:to].start_with?('//')

    continue_params
  end

--- a/changelogs/unreleased/open-redirect-continue-params.yml
+++ b/changelogs/unreleased/open-redirect-continue-params.yml
+---
+title: Fix for open redirect vulnerability using continue[to] in URL when requesting project import status.
+merge_request: 
+author:
--- a/spec/controllers/projects/imports_controller_spec.rb
+++ b/spec/controllers/projects/imports_controller_spec.rb
@@ -96,12 +96,19 @@ describe Projects::ImportsController do
            }
          end

-          it 'redirects to params[:to]' do
+          it 'redirects to internal params[:to]' do
            get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, continue: params

            expect(flash[:notice]).to eq params[:notice]
            expect(response).to redirect_to params[:to]
          end
+
+          it 'does not redirect to external params[:to]' do
+            params[:to] = "//google.com"
+
+            get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, continue: params
+            expect(response).not_to redirect_to params[:to]
+          end
        end
      end