diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-01-06 19:21:00 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-01-06 19:21:00 +0000 |
| commit | fa70ce1068babe592d348497c772f1b5160cbb6e (patch) | |
| tree | 88e00024a01cd6464afc88150a378f3e1de5bc7e | |
| parent | bd200951d7e928b84bd5b4ef1210a56d688a03c9 (diff) | |
| download | gitlab-ce-fa70ce1068babe592d348497c772f1b5160cbb6e.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-7-stable-ee
| -rw-r--r-- | app/controllers/oauth/authorizations_controller.rb | 11 | ||||
| -rw-r--r-- | changelogs/unreleased/security-implicit-confidential.yml | 5 | ||||
| -rw-r--r-- | spec/controllers/oauth/authorizations_controller_spec.rb | 14 |
3 files changed, 30 insertions, 0 deletions
diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb index 6e8686ee90b..ade698baa7f 100644 --- a/app/controllers/oauth/authorizations_controller.rb +++ b/app/controllers/oauth/authorizations_controller.rb @@ -24,6 +24,17 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController end end + def create + # Confidential apps require the client_secret to be sent with the request. + # Doorkeeper allows implicit grant flow requests (response_type=token) to + # work without client_secret regardless of the confidential setting. + if pre_auth.authorizable? && pre_auth.response_type == 'token' && pre_auth.client.application.confidential + render "doorkeeper/authorizations/error" + else + super + end + end + private def verify_confirmed_email! diff --git a/changelogs/unreleased/security-implicit-confidential.yml b/changelogs/unreleased/security-implicit-confidential.yml new file mode 100644 index 00000000000..bbf2d95b3fb --- /dev/null +++ b/changelogs/unreleased/security-implicit-confidential.yml @@ -0,0 +1,5 @@ +--- +title: Deny implicit flow for confidential apps +merge_request: +author: +type: security diff --git a/spec/controllers/oauth/authorizations_controller_spec.rb b/spec/controllers/oauth/authorizations_controller_spec.rb index 23d472f6853..f811f13def8 100644 --- a/spec/controllers/oauth/authorizations_controller_spec.rb +++ b/spec/controllers/oauth/authorizations_controller_spec.rb @@ -95,6 +95,20 @@ RSpec.describe Oauth::AuthorizationsController do subject { post :create, params: params } include_examples 'OAuth Authorizations require confirmed user' + + context 'when application is confidential' do + before do + application.update(confidential: true) + params[:response_type] = 'token' + end + + it 'does not allow the implicit flow' do + subject + + expect(response).to have_gitlab_http_status(:ok) + expect(response).to render_template('doorkeeper/authorizations/error') + end + end end describe 'DELETE #destroy' do |