diff options
| author | Tiger <twatson@gitlab.com> | 2019-02-13 11:11:28 +1100 |
|---|---|---|
| committer | Tiger <twatson@gitlab.com> | 2019-02-19 17:21:08 +1100 |
| commit | fc8c1a77d36003795586fe076243b6eb90db6f03 (patch) | |
| tree | f91e04681862763911fc5ff0bfc15693bc85e86a /app/controllers | |
| parent | 0f20c401d37354cb91ab66b6e220b95f2301dafb (diff) | |
| download | gitlab-ce-fc8c1a77d36003795586fe076243b6eb90db6f03.tar.gz | |
Validate session key when authorizing with GCP to create a cluster
It was previously possible to link a GCP account to another
user's GitLab account by having them visit the callback URL,
as there was no check that they were the initiator of the
request.
We now reject the callback unless the state parameter
matches the one added to the initiating user's session.
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/google_api/authorizations_controller.rb | 32 |
1 files changed, 21 insertions, 11 deletions
diff --git a/app/controllers/google_api/authorizations_controller.rb b/app/controllers/google_api/authorizations_controller.rb index dd9f5af61b3..ed0995e7ffd 100644 --- a/app/controllers/google_api/authorizations_controller.rb +++ b/app/controllers/google_api/authorizations_controller.rb @@ -2,6 +2,10 @@ module GoogleApi class AuthorizationsController < ApplicationController + include Gitlab::Utils::StrongMemoize + + before_action :validate_session_key! + def callback token, expires_at = GoogleApi::CloudPlatform::Client .new(nil, callback_google_api_auth_url) @@ -11,21 +15,27 @@ module GoogleApi session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at] = expires_at.to_s - state_redirect_uri = redirect_uri_from_session_key(params[:state]) - - if state_redirect_uri - redirect_to state_redirect_uri - else - redirect_to root_path - end + redirect_to redirect_uri_from_session end private - def redirect_uri_from_session_key(state) - key = GoogleApi::CloudPlatform::Client - .session_key_for_redirect_uri(params[:state]) - session[key] if key + def validate_session_key! + access_denied! unless redirect_uri_from_session.present? + end + + def redirect_uri_from_session + strong_memoize(:redirect_uri_from_session) do + if params[:state].present? + session[session_key_for_redirect_uri(params[:state])] + else + nil + end + end + end + + def session_key_for_redirect_uri(state) + GoogleApi::CloudPlatform::Client.session_key_for_redirect_uri(state) end end end |