diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-04-27 15:30:20 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-04-27 15:30:20 +0000 |
commit | 9141b9ceccf6361be9b4da69d6ca7d93157c456e (patch) | |
tree | 0fd894747dc282dcd539df5391b195afb51ebb63 | |
parent | 88725a6b87961c5f3052259f84208a6ccb943b34 (diff) | |
download | gitlab-ce-9141b9ceccf6361be9b4da69d6ca7d93157c456e.tar.gz |
Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee
4 files changed, 38 insertions, 0 deletions
diff --git a/app/controllers/oauth/authorized_applications_controller.rb b/app/controllers/oauth/authorized_applications_controller.rb index 9cfa57c53a5..addec71f0bf 100644 --- a/app/controllers/oauth/authorized_applications_controller.rb +++ b/app/controllers/oauth/authorized_applications_controller.rb @@ -5,6 +5,13 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio layout 'profile' + def index + respond_to do |format| + format.html { render "errors/not_found", layout: "errors", status: :not_found } + format.json { render json: "", status: :not_found } + end + end + def destroy if params[:token_id].present? current_resource_owner.oauth_authorized_tokens.find(params[:token_id]).revoke diff --git a/changelogs/unreleased/security-file-template-project.yml b/changelogs/unreleased/security-file-template-project.yml new file mode 100644 index 00000000000..ca4c88f20a6 --- /dev/null +++ b/changelogs/unreleased/security-file-template-project.yml @@ -0,0 +1,5 @@ +--- +title: Do not return private project ID without permission +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-CVE-2020-10187.yml b/changelogs/unreleased/security-fix-CVE-2020-10187.yml new file mode 100644 index 00000000000..5510f3dc5fb --- /dev/null +++ b/changelogs/unreleased/security-fix-CVE-2020-10187.yml @@ -0,0 +1,5 @@ +--- +title: Fix doorkeeper CVE-2020-10187 +merge_request: +author: +type: security diff --git a/spec/controllers/oauth/authorized_applications_controller_spec.rb b/spec/controllers/oauth/authorized_applications_controller_spec.rb new file mode 100644 index 00000000000..32be6a3ddb7 --- /dev/null +++ b/spec/controllers/oauth/authorized_applications_controller_spec.rb @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Oauth::AuthorizedApplicationsController do + let(:user) { create(:user) } + let(:guest) { create(:user) } + let(:application) { create(:oauth_application, owner: guest) } + + before do + sign_in(user) + end + + describe 'GET #index' do + it 'responds with 404' do + get :index + + expect(response).to have_gitlab_http_status(:not_found) + end + end +end |