diff options
| author | Robert Speicher <rspeicher@gmail.com> | 2018-03-07 09:54:57 -0600 |
|---|---|---|
| committer | Robert Speicher <rspeicher@gmail.com> | 2018-03-07 09:54:57 -0600 |
| commit | 42725ea96c7c2804d8a08130de529aceb87129d1 (patch) | |
| tree | a78271f92cf7f0266660fea06afde1144a27724f | |
| parent | d9ca76559f740bdeac78bcd9a7cfe60df5ef9795 (diff) | |
| parent | 2fcf779cff589b2e47feb5ea8df8afeba10a6717 (diff) | |
| download | gitlab-ce-42725ea96c7c2804d8a08130de529aceb87129d1.tar.gz | |
Merge remote-tracking branch 'dev/master'
| -rw-r--r-- | CHANGELOG.md | 21 | ||||
| -rw-r--r-- | GITLAB_PAGES_VERSION | 2 | ||||
| -rw-r--r-- | app/controllers/concerns/authenticates_with_two_factor.rb | 1 | ||||
| -rw-r--r-- | changelogs/unreleased/sh-fix-otp-backup-code-invalidation.yml | 5 | ||||
| -rw-r--r-- | spec/features/users/login_spec.rb | 12 |
5 files changed, 40 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index c8d399b2b98..246a0fbc5f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 10.5.3 (2018-03-01) + +### Security (1 change) + +- Ensure that OTP backup codes are always invalidated. + + ## 10.5.2 (2018-02-25) ### Fixed (7 changes) @@ -219,6 +226,13 @@ entry. - Adds empty state illustration for pending job. +## 10.4.5 (2018-03-01) + +### Security (1 change) + +- Ensure that OTP backup codes are always invalidated. + + ## 10.4.4 (2018-02-16) ### Security (1 change) @@ -443,6 +457,13 @@ entry. - Use a background migration for issues.closed_at. +## 10.3.8 (2018-03-01) + +### Security (1 change) + +- Ensure that OTP backup codes are always invalidated. + + ## 10.3.7 (2018-02-05) ### Security (4 changes) diff --git a/GITLAB_PAGES_VERSION b/GITLAB_PAGES_VERSION index a918a2aa18d..ee6cdce3c29 100644 --- a/GITLAB_PAGES_VERSION +++ b/GITLAB_PAGES_VERSION @@ -1 +1 @@ -0.6.0 +0.6.1 diff --git a/app/controllers/concerns/authenticates_with_two_factor.rb b/app/controllers/concerns/authenticates_with_two_factor.rb index db8c362f125..2753f83c3cf 100644 --- a/app/controllers/concerns/authenticates_with_two_factor.rb +++ b/app/controllers/concerns/authenticates_with_two_factor.rb @@ -56,6 +56,7 @@ module AuthenticatesWithTwoFactor session.delete(:otp_user_id) remember_me(user) if user_params[:remember_me] == '1' + user.save! sign_in(user) else user.increment_failed_attempts! diff --git a/changelogs/unreleased/sh-fix-otp-backup-code-invalidation.yml b/changelogs/unreleased/sh-fix-otp-backup-code-invalidation.yml new file mode 100644 index 00000000000..cedb09c9a7a --- /dev/null +++ b/changelogs/unreleased/sh-fix-otp-backup-code-invalidation.yml @@ -0,0 +1,5 @@ +--- +title: Ensure that OTP backup codes are always invalidated +merge_request: +author: +type: security diff --git a/spec/features/users/login_spec.rb b/spec/features/users/login_spec.rb index 6ef235cf870..bc75dc5d19b 100644 --- a/spec/features/users/login_spec.rb +++ b/spec/features/users/login_spec.rb @@ -145,6 +145,18 @@ feature 'Login' do expect { enter_code(codes.sample) } .to change { user.reload.otp_backup_codes.size }.by(-1) end + + it 'invalidates backup codes twice in a row' do + random_code = codes.delete(codes.sample) + expect { enter_code(random_code) } + .to change { user.reload.otp_backup_codes.size }.by(-1) + + gitlab_sign_out + gitlab_sign_in(user) + + expect { enter_code(codes.sample) } + .to change { user.reload.otp_backup_codes.size }.by(-1) + end end context 'with invalid code' do |