diff options
| author | Sean McGivern <sean@gitlab.com> | 2017-04-05 21:17:49 +0000 |
|---|---|---|
| committer | DJ Mountney <david@twkie.net> | 2017-04-05 15:16:40 -0700 |
| commit | 94ba06f251e446fdd5b4c4e54336897374240633 (patch) | |
| tree | 89514d6edc8e1658d56b6c90dad6469fe879867c | |
| parent | 3a5125949e12c4f8543c2f0ce7c53e9e548b7429 (diff) | |
| download | gitlab-ce-94ba06f251e446fdd5b4c4e54336897374240633.tar.gz | |
Merge branch 'open-redirect-fix-continue-to' into 'security'
Fix for open redirect vuln involving continue[to] params
See merge request !2083
| -rw-r--r-- | app/controllers/concerns/continue_params.rb | 1 | ||||
| -rw-r--r-- | changelogs/unreleased/open-redirect-continue-params.yml | 4 | ||||
| -rw-r--r-- | spec/controllers/projects/imports_controller_spec.rb | 9 |
3 files changed, 13 insertions, 1 deletions
diff --git a/app/controllers/concerns/continue_params.rb b/app/controllers/concerns/continue_params.rb index 0a995c45bdf..eb3a623acdd 100644 --- a/app/controllers/concerns/continue_params.rb +++ b/app/controllers/concerns/continue_params.rb @@ -7,6 +7,7 @@ module ContinueParams continue_params = continue_params.permit(:to, :notice, :notice_now) return unless continue_params[:to] && continue_params[:to].start_with?('/') + return if continue_params[:to].start_with?('//') continue_params end diff --git a/changelogs/unreleased/open-redirect-continue-params.yml b/changelogs/unreleased/open-redirect-continue-params.yml new file mode 100644 index 00000000000..def3bc7d929 --- /dev/null +++ b/changelogs/unreleased/open-redirect-continue-params.yml @@ -0,0 +1,4 @@ +--- +title: Fix for open redirect vulnerability using continue[to] in URL when requesting project import status. +merge_request: +author: diff --git a/spec/controllers/projects/imports_controller_spec.rb b/spec/controllers/projects/imports_controller_spec.rb index 2acbba469e3..a91dea0dcdf 100644 --- a/spec/controllers/projects/imports_controller_spec.rb +++ b/spec/controllers/projects/imports_controller_spec.rb @@ -96,12 +96,19 @@ describe Projects::ImportsController do } end - it 'redirects to params[:to]' do + it 'redirects to internal params[:to]' do get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, continue: params expect(flash[:notice]).to eq params[:notice] expect(response).to redirect_to params[:to] end + + it 'does not redirect to external params[:to]' do + params[:to] = "//google.com" + + get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, continue: params + expect(response).not_to redirect_to params[:to] + end end end |