Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
fa70ce10
Commit
fa70ce10
authored
Jan 06, 2021
by
GitLab Bot
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add latest changes from gitlab-org/security/gitlab@13-7-stable-ee
parent
bd200951
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
30 additions
and
0 deletions
+30
-0
app/controllers/oauth/authorizations_controller.rb
app/controllers/oauth/authorizations_controller.rb
+11
-0
changelogs/unreleased/security-implicit-confidential.yml
changelogs/unreleased/security-implicit-confidential.yml
+5
-0
spec/controllers/oauth/authorizations_controller_spec.rb
spec/controllers/oauth/authorizations_controller_spec.rb
+14
-0
No files found.
app/controllers/oauth/authorizations_controller.rb
View file @
fa70ce10
...
...
@@ -24,6 +24,17 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
end
end
def
create
# Confidential apps require the client_secret to be sent with the request.
# Doorkeeper allows implicit grant flow requests (response_type=token) to
# work without client_secret regardless of the confidential setting.
if
pre_auth
.
authorizable?
&&
pre_auth
.
response_type
==
'token'
&&
pre_auth
.
client
.
application
.
confidential
render
"doorkeeper/authorizations/error"
else
super
end
end
private
def
verify_confirmed_email!
...
...
changelogs/unreleased/security-implicit-confidential.yml
0 → 100644
View file @
fa70ce10
---
title
:
Deny implicit flow for confidential apps
merge_request
:
author
:
type
:
security
spec/controllers/oauth/authorizations_controller_spec.rb
View file @
fa70ce10
...
...
@@ -95,6 +95,20 @@ RSpec.describe Oauth::AuthorizationsController do
subject
{
post
:create
,
params:
params
}
include_examples
'OAuth Authorizations require confirmed user'
context
'when application is confidential'
do
before
do
application
.
update
(
confidential:
true
)
params
[
:response_type
]
=
'token'
end
it
'does not allow the implicit flow'
do
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
render_template
(
'doorkeeper/authorizations/error'
)
end
end
end
describe
'DELETE #destroy'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment