Security fix: redirection in google_api/authorizations_controller

2 files changed, 14 insertions, 5 deletions

diff --git a/app/controllers/google_api/authorizations_controller.rb b/app/controllers/google_api/authorizations_controller.rb
index e4f76fb493e..709d1d34796 100644
--- a/app/controllers/google_api/authorizations_controller.rb
+++ b/app/controllers/google_api/authorizations_controller.rb
@@ -9,8 +9,13 @@ module GoogleApi
       session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at] =
         expires_at.to_s
 
-      if params[:state].present?
-        redirect_to params[:state]
+      key, _ = GoogleApi::CloudPlatform::Client
+        .session_key_for_second_redirect_uri(secure: params[:state])
+
+      second_redirect_uri = session[key]
+
+      if second_redirect_uri.present?
+        redirect_to second_redirect_uri
       else
         redirect_to root_path
       end
diff --git a/app/controllers/projects/clusters_controller.rb b/app/controllers/projects/clusters_controller.rb
index ce8e73392b8..2f7364f4abf 100644
--- a/app/controllers/projects/clusters_controller.rb
+++ b/app/controllers/projects/clusters_controller.rb
@@ -16,9 +16,13 @@ class Projects::ClustersController < Projects::ApplicationController
 
   def login
     begin
-      @authorize_url = GoogleApi::CloudPlatform::Client.new(
-        nil, callback_google_api_auth_url,
-        state: namespace_project_clusters_url.to_s).authorize_url
+      GoogleApi::CloudPlatform::Client.session_key_for_second_redirect_uri.tap do |key, secure|
+        session[key] = namespace_project_clusters_url.to_s
+
+        @authorize_url = GoogleApi::CloudPlatform::Client.new(
+          nil, callback_google_api_auth_url,
+          state: secure).authorize_url
+      end
     rescue GoogleApi::Auth::ConfigMissingError
       # no-op
     end