Merge branch 'redirect-host-check' into 'master'

Redirect host check

Fixes https://dev.gitlab.org/gitlab/gitlabhq/issues/2649

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/13956

See merge request !1945

5 files changed, 20 insertions, 23 deletions

diff --git a/CHANGELOG b/CHANGELOG
index d4554b96190..7c63414e580 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -29,6 +29,7 @@ v 8.6.0 (unreleased)
   - Add main language of a project in the list of projects (Tiago Botelho)
   - Add ability to show archived projects on dashboard, explore and group pages
   - Move group activity to separate page
+  - Continue parameters are checked to ensure redirection goes to the same instance
 
 v 8.5.5
   - Ensure removing a project removes associated Todo entries
diff --git a/app/controllers/concerns/continue_params.rb b/app/controllers/concerns/continue_params.rb
new file mode 100644
index 00000000000..0a995c45bdf
--- /dev/null
+++ b/app/controllers/concerns/continue_params.rb
@@ -0,0 +1,13 @@
+module ContinueParams
+  extend ActiveSupport::Concern
+
+  def continue_params
+    continue_params = params[:continue]
+    return nil unless continue_params
+
+    continue_params = continue_params.permit(:to, :notice, :notice_now)
+    return unless continue_params[:to] && continue_params[:to].start_with?('/')
+
+    continue_params
+  end
+end
diff --git a/app/controllers/projects/forks_controller.rb b/app/controllers/projects/forks_controller.rb
index 7b202f3862f..a1b8632df98 100644
--- a/app/controllers/projects/forks_controller.rb
+++ b/app/controllers/projects/forks_controller.rb
@@ -1,4 +1,6 @@
 class Projects::ForksController < Projects::ApplicationController
+  include ContinueParams
+
   # Authorize
   before_action :require_non_empty_project
   before_action :authorize_download_code!
@@ -53,15 +55,4 @@ class Projects::ForksController < Projects::ApplicationController
       render :error
     end
   end
-
-  private
-
-  def continue_params
-    continue_params = params[:continue]
-    if continue_params
-      continue_params.permit(:to, :notice, :notice_now)
-    else
-      nil
-    end
-  end
 end
diff --git a/app/controllers/projects/imports_controller.rb b/app/controllers/projects/imports_controller.rb
index 196996f1752..7756f0f0ed3 100644
--- a/app/controllers/projects/imports_controller.rb
+++ b/app/controllers/projects/imports_controller.rb
@@ -1,4 +1,6 @@
 class Projects::ImportsController < Projects::ApplicationController
+  include ContinueParams
+
   # Authorize
   before_action :authorize_admin_project!
   before_action :require_no_repo, only: [:new, :create]
@@ -44,16 +46,6 @@ class Projects::ImportsController < Projects::ApplicationController
 
   private
 
-  def continue_params
-    continue_params = params[:continue]
-
-    if continue_params
-      continue_params.permit(:to, :notice, :notice_now)
-    else
-      nil
-    end
-  end
-
   def finished_notice
     if @project.forked?
       'The project was successfully forked.'
diff --git a/spec/controllers/projects/imports_controller_spec.rb b/spec/controllers/projects/imports_controller_spec.rb
index 0147bd2b953..2acbba469e3 100644
--- a/spec/controllers/projects/imports_controller_spec.rb
+++ b/spec/controllers/projects/imports_controller_spec.rb
@@ -19,7 +19,7 @@ describe Projects::ImportsController do
       end
 
       it 'sets flash.now if params is present' do
-        get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, continue: { notice_now: 'Started' }
+        get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, continue: { to: '/', notice_now: 'Started' }
 
         expect(flash.now[:notice]).to eq 'Started'
       end
@@ -45,7 +45,7 @@ describe Projects::ImportsController do
         end
 
         it 'sets flash.now if params is present' do
-          get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, continue: { notice_now: 'In progress' }
+          get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, continue: { to: '/', notice_now: 'In progress' }
 
           expect(flash.now[:notice]).to eq 'In progress'
         end