Merge branch 'security-fix-CVE-2020-10187' into 'master'

Fix doorkeeper CVE-2020-10187 Closes #115 See merge request gitlab-org/security/gitlab!429

Merge branch 'security-fix-CVE-2020-10187' into 'master'
Fix doorkeeper CVE-2020-10187 Closes #115 See merge request gitlab-org/security/gitlab!429
03213b25 · GitLab Release Tools Bot · f98ce6b4 · f8d71631 · 03213b25 · 03213b25
Commit 03213b25 authored Apr 27, 2020 by GitLab Release Tools Bot
3 changed files
--- a/app/controllers/oauth/authorized_applications_controller.rb
+++ b/app/controllers/oauth/authorized_applications_controller.rb
@@ -5,6 +5,13 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio

  layout 'profile'

+  def index
+    respond_to do |format|
+      format.html { render "errors/not_found", layout: "errors", status: :not_found }
+      format.json { render json: "", status: :not_found }
+    end
+  end
+
  def destroy
    if params[:token_id].present?
      current_resource_owner.oauth_authorized_tokens.find(params[:token_id]).revoke

--- a/changelogs/unreleased/security-fix-CVE-2020-10187.yml
+++ b/changelogs/unreleased/security-fix-CVE-2020-10187.yml
+---
+title: Fix doorkeeper CVE-2020-10187
+merge_request:
+author:
+type: security
--- a/spec/controllers/oauth/authorized_applications_controller_spec.rb
+++ b/spec/controllers/oauth/authorized_applications_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Oauth::AuthorizedApplicationsController do
+  let(:user) { create(:user) }
+  let(:guest) { create(:user) }
+  let(:application) { create(:oauth_application, owner: guest) }
+
+  before do
+    sign_in(user)
+  end
+
+  describe 'GET #index' do
+    it 'responds with 404' do
+      get :index
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+  end
+end