will be down from Thursday, 20 March 2025, 07:30:00 UTC for a duration of approximately 2 hours

Commit 8331786c authored by Douwe Maan's avatar Douwe Maan

Merge branch '32059-fix-oauth-phishing' into 'master'

Prevent OAuth phishing attack by presenting detailed wording about app to user during authorization

See merge request gitlab-org/gitlab-ce!15311
parents 2cfcb9be 24a3bee0
......@@ -249,3 +249,22 @@
.doorkeeper-app-form {
.scope-description {
color: $theme-gray-700;
.modal-doorkeepr-auth {
.modal-body {
padding: $gl-padding;
.doorkeeper-app-form {
.scope-description {
margin: 0 0 5px 17px;
= form_for application, url: doorkeeper_submit_path(application), html: {role: 'form'} do |f|
= form_for application, url: doorkeeper_submit_path(application), html: { role: 'form', class: 'doorkeeper-app-form' } do |f|
= form_errors(application)
- auth_app_owner = @pre_auth.client.application.owner
%main{ :role => "main" }
......@@ -16,14 +18,21 @@
will allow them to interact with GitLab as an admin as well. Proceed with caution.
You are about to authorize
An application called
= link_to, @pre_auth.redirect_uri, target: '_blank', rel: 'noopener noreferrer'
to use your account.
- if @pre_auth.scopes
is requesting access to your GitLab account. This application was created by
= succeed "." do
= link_to, user_path(auth_app_owner)
Please note that this application is not provided by GitLab and you should verify its authenticity before
allowing access.
- if @pre_auth.scopes
This application will be able to:
- @pre_auth.scopes.each do |scope|
%li= t scope, scope: [:doorkeeper, :scopes]
%strong= t scope, scope: [:doorkeeper, :scopes]
.scope-description= t scope, scope: [:doorkeeper, :scope_desc]
= form_tag oauth_authorization_path, method: :delete, class: 'inline' do
= hidden_field_tag :client_id, @pre_auth.client.uid
......@@ -7,3 +7,4 @@
= check_box_tag "#{prefix}[scopes][]", scope, token.scopes.include?(scope), id: "#{prefix}_scopes_#{scope}"
= label_tag ("#{prefix}_scopes_#{scope}"), scope
%span= t(scope, scope: [:doorkeeper, :scopes])
.scope-description= t scope, scope: [:doorkeeper, :scope_desc]
title: Prevent OAuth phishing attack by presenting detailed wording about app to user
during authorization
type: security
......@@ -62,7 +62,15 @@ en:
read_user: Read the authenticated user's personal information
openid: Authenticate using OpenID Connect
sudo: Perform API actions as any user in the system (if the authenticated user is an admin)
Full access to GitLab as the user, including read/write on all their groups and projects
Read-only access to the user's profile information, like username, public email and full name
The ability to authenticate using GitLab, and read-only access to the user's profile information
Access to the Sudo feature, to perform API actions as any user in the system (only available for admins)
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment