Commit e8619196 authored by GitLab Bot's avatar GitLab Bot

Add latest changes from gitlab-org/security/gitlab@13-7-stable-ee

parent 1ef3b81f
...@@ -4,7 +4,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController ...@@ -4,7 +4,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
include Gitlab::Experimentation::ControllerConcern include Gitlab::Experimentation::ControllerConcern
include InitializesCurrentUserMode include InitializesCurrentUserMode
before_action :verify_confirmed_email! before_action :verify_confirmed_email!, :verify_confidential_application!
layout 'profile' layout 'profile'
...@@ -24,18 +24,19 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController ...@@ -24,18 +24,19 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
end end
end end
def create private
# Confidential apps require the client_secret to be sent with the request.
# Doorkeeper allows implicit grant flow requests (response_type=token) to # Confidential apps require the client_secret to be sent with the request.
# work without client_secret regardless of the confidential setting. # Doorkeeper allows implicit grant flow requests (response_type=token) to
if pre_auth.authorizable? && pre_auth.response_type == 'token' && pre_auth.client.application.confidential # work without client_secret regardless of the confidential setting.
render "doorkeeper/authorizations/error" # This leads to security vulnerabilities and we want to block it.
else def verify_confidential_application!
super render 'doorkeeper/authorizations/error' if authorizable_confidential?
end
end end
private def authorizable_confidential?
pre_auth.authorizable? && pre_auth.response_type == 'token' && pre_auth.client.application.confidential
end
def verify_confirmed_email! def verify_confirmed_email!
return if current_user&.confirmed? return if current_user&.confirmed?
......
---
title: Deny implicit flow for confidential apps
merge_request:
author:
type: security
...@@ -51,10 +51,27 @@ RSpec.describe Oauth::AuthorizationsController do ...@@ -51,10 +51,27 @@ RSpec.describe Oauth::AuthorizationsController do
end end
end end
shared_examples "Implicit grant can't be used in confidential application" do
context 'when application is confidential' do
before do
application.update(confidential: true)
params[:response_type] = 'token'
end
it 'does not allow the implicit flow' do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/error')
end
end
end
describe 'GET #new' do describe 'GET #new' do
subject { get :new, params: params } subject { get :new, params: params }
include_examples 'OAuth Authorizations require confirmed user' include_examples 'OAuth Authorizations require confirmed user'
include_examples "Implicit grant can't be used in confidential application"
context 'when the user is confirmed' do context 'when the user is confirmed' do
let(:confirmed_at) { 1.hour.ago } let(:confirmed_at) { 1.hour.ago }
...@@ -95,26 +112,14 @@ RSpec.describe Oauth::AuthorizationsController do ...@@ -95,26 +112,14 @@ RSpec.describe Oauth::AuthorizationsController do
subject { post :create, params: params } subject { post :create, params: params }
include_examples 'OAuth Authorizations require confirmed user' include_examples 'OAuth Authorizations require confirmed user'
include_examples "Implicit grant can't be used in confidential application"
context 'when application is confidential' do
before do
application.update(confidential: true)
params[:response_type] = 'token'
end
it 'does not allow the implicit flow' do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template('doorkeeper/authorizations/error')
end
end
end end
describe 'DELETE #destroy' do describe 'DELETE #destroy' do
subject { delete :destroy, params: params } subject { delete :destroy, params: params }
include_examples 'OAuth Authorizations require confirmed user' include_examples 'OAuth Authorizations require confirmed user'
include_examples "Implicit grant can't be used in confidential application"
end end
it 'includes Two-factor enforcement concern' do it 'includes Two-factor enforcement concern' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment