Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee

4 files changed, 30 insertions, 0 deletions

diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index 55e03503ba9..cdfb3a32f4c 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -49,6 +49,7 @@ class Admin::UsersController < Admin::ApplicationController
       session[:impersonator_id] = current_user.id
 
       warden.set_user(user, scope: :user)
+      clear_access_token_session_keys!
 
       log_impersonation_event
 
diff --git a/app/controllers/concerns/impersonation.rb b/app/controllers/concerns/impersonation.rb
index 0764fbc8eb3..539dd9ad69d 100644
--- a/app/controllers/concerns/impersonation.rb
+++ b/app/controllers/concerns/impersonation.rb
@@ -3,6 +3,12 @@
 module Impersonation
   include Gitlab::Utils::StrongMemoize
 
+  SESSION_KEYS_TO_DELETE = %w(
+    github_access_token gitea_access_token gitlab_access_token
+    bitbucket_token bitbucket_refresh_token bitbucket_server_personal_access_token
+    bulk_import_gitlab_access_token fogbugz_token
+  ).freeze
+
   def current_user
     user = super
 
@@ -27,6 +33,7 @@ module Impersonation
 
     warden.set_user(impersonator, scope: :user)
     session[:impersonator_id] = nil
+    clear_access_token_session_keys!
 
     current_user
   end
@@ -39,6 +46,12 @@ module Impersonation
     Gitlab::AppLogger.info("User #{impersonator.username} has stopped impersonating #{current_user.username}")
   end
 
+  def clear_access_token_session_keys!
+    access_tokens_keys = session.keys & SESSION_KEYS_TO_DELETE
+
+    access_tokens_keys.each { |key| session.delete(key) }
+  end
+
   def impersonator
     strong_memoize(:impersonator) do
       User.find(session[:impersonator_id]) if session[:impersonator_id]
diff --git a/spec/controllers/admin/impersonations_controller_spec.rb b/spec/controllers/admin/impersonations_controller_spec.rb
index 744c0712d6b..ccf4454c349 100644
--- a/spec/controllers/admin/impersonations_controller_spec.rb
+++ b/spec/controllers/admin/impersonations_controller_spec.rb
@@ -92,6 +92,14 @@ RSpec.describe Admin::ImpersonationsController do
 
                 expect(warden.user).to eq(impersonator)
               end
+
+              it 'clears token session keys' do
+                session[:bitbucket_token] = SecureRandom.hex(8)
+
+                delete :destroy
+
+                expect(session[:bitbucket_token]).to be_nil
+              end
             end
 
             # base case
diff --git a/spec/controllers/admin/users_controller_spec.rb b/spec/controllers/admin/users_controller_spec.rb
index e43ba6358f9..3a2b5dcb99d 100644
--- a/spec/controllers/admin/users_controller_spec.rb
+++ b/spec/controllers/admin/users_controller_spec.rb
@@ -794,6 +794,14 @@ RSpec.describe Admin::UsersController do
 
         expect(flash[:alert]).to eq("You are now impersonating #{user.username}")
       end
+
+      it 'clears token session keys' do
+        session[:github_access_token] = SecureRandom.hex(8)
+
+        post :impersonate, params: { id: user.username }
+
+        expect(session[:github_access_token]).to be_nil
+      end
     end
 
     context "when impersonation is disabled" do