Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
e8619196
Commit
e8619196
authored
Jan 13, 2021
by
GitLab Bot
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add latest changes from gitlab-org/security/gitlab@13-7-stable-ee
parent
1ef3b81f
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
36 additions
and
25 deletions
+36
-25
app/controllers/oauth/authorizations_controller.rb
app/controllers/oauth/authorizations_controller.rb
+12
-11
changelogs/unreleased/security-deny-implicit-confidential.yml
...gelogs/unreleased/security-deny-implicit-confidential.yml
+5
-0
spec/controllers/oauth/authorizations_controller_spec.rb
spec/controllers/oauth/authorizations_controller_spec.rb
+19
-14
No files found.
app/controllers/oauth/authorizations_controller.rb
View file @
e8619196
...
...
@@ -4,7 +4,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
include
Gitlab
::
Experimentation
::
ControllerConcern
include
InitializesCurrentUserMode
before_action
:verify_confirmed_email!
before_action
:verify_confirmed_email!
,
:verify_confidential_application!
layout
'profile'
...
...
@@ -24,18 +24,19 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
end
end
def
create
# Confidential apps require the client_secret to be sent with the request.
# Doorkeeper allows implicit grant flow requests (response_type=token) to
# work without client_secret regardless of the confidential setting.
if
pre_auth
.
authorizable?
&&
pre_auth
.
response_type
==
'token'
&&
pre_auth
.
client
.
application
.
confidential
render
"doorkeeper/authorizations/error"
else
super
end
private
# Confidential apps require the client_secret to be sent with the request.
# Doorkeeper allows implicit grant flow requests (response_type=token) to
# work without client_secret regardless of the confidential setting.
# This leads to security vulnerabilities and we want to block it.
def
verify_confidential_application!
render
'doorkeeper/authorizations/error'
if
authorizable_confidential?
end
private
def
authorizable_confidential?
pre_auth
.
authorizable?
&&
pre_auth
.
response_type
==
'token'
&&
pre_auth
.
client
.
application
.
confidential
end
def
verify_confirmed_email!
return
if
current_user
&
.
confirmed?
...
...
changelogs/unreleased/security-deny-implicit-confidential.yml
0 → 100644
View file @
e8619196
---
title
:
Deny implicit flow for confidential apps
merge_request
:
author
:
type
:
security
spec/controllers/oauth/authorizations_controller_spec.rb
View file @
e8619196
...
...
@@ -51,10 +51,27 @@ RSpec.describe Oauth::AuthorizationsController do
end
end
shared_examples
"Implicit grant can't be used in confidential application"
do
context
'when application is confidential'
do
before
do
application
.
update
(
confidential:
true
)
params
[
:response_type
]
=
'token'
end
it
'does not allow the implicit flow'
do
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
render_template
(
'doorkeeper/authorizations/error'
)
end
end
end
describe
'GET #new'
do
subject
{
get
:new
,
params:
params
}
include_examples
'OAuth Authorizations require confirmed user'
include_examples
"Implicit grant can't be used in confidential application"
context
'when the user is confirmed'
do
let
(
:confirmed_at
)
{
1
.
hour
.
ago
}
...
...
@@ -95,26 +112,14 @@ RSpec.describe Oauth::AuthorizationsController do
subject
{
post
:create
,
params:
params
}
include_examples
'OAuth Authorizations require confirmed user'
context
'when application is confidential'
do
before
do
application
.
update
(
confidential:
true
)
params
[
:response_type
]
=
'token'
end
it
'does not allow the implicit flow'
do
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
render_template
(
'doorkeeper/authorizations/error'
)
end
end
include_examples
"Implicit grant can't be used in confidential application"
end
describe
'DELETE #destroy'
do
subject
{
delete
:destroy
,
params:
params
}
include_examples
'OAuth Authorizations require confirmed user'
include_examples
"Implicit grant can't be used in confidential application"
end
it
'includes Two-factor enforcement concern'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment