diff options
author | Shinya Maeda <shinya@gitlab.com> | 2017-10-06 21:28:40 +0900 |
---|---|---|
committer | Shinya Maeda <shinya@gitlab.com> | 2017-10-06 21:28:40 +0900 |
commit | f293288589f24e1928b57dcd3428b762ae9ced79 (patch) | |
tree | d54b6425ac0fe596e27d3cbe291e08f28b10267b /app | |
parent | 5ced761ebdcb0579377e338c2e321e4ba0373336 (diff) | |
download | gitlab-ce-f293288589f24e1928b57dcd3428b762ae9ced79.tar.gz |
Security fix: redirection in google_api/authorizations_controller
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/google_api/authorizations_controller.rb | 9 | ||||
-rw-r--r-- | app/controllers/projects/clusters_controller.rb | 10 |
2 files changed, 14 insertions, 5 deletions
diff --git a/app/controllers/google_api/authorizations_controller.rb b/app/controllers/google_api/authorizations_controller.rb index e4f76fb493e..709d1d34796 100644 --- a/app/controllers/google_api/authorizations_controller.rb +++ b/app/controllers/google_api/authorizations_controller.rb @@ -9,8 +9,13 @@ module GoogleApi session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at] = expires_at.to_s - if params[:state].present? - redirect_to params[:state] + key, _ = GoogleApi::CloudPlatform::Client + .session_key_for_second_redirect_uri(secure: params[:state]) + + second_redirect_uri = session[key] + + if second_redirect_uri.present? + redirect_to second_redirect_uri else redirect_to root_path end diff --git a/app/controllers/projects/clusters_controller.rb b/app/controllers/projects/clusters_controller.rb index ce8e73392b8..2f7364f4abf 100644 --- a/app/controllers/projects/clusters_controller.rb +++ b/app/controllers/projects/clusters_controller.rb @@ -16,9 +16,13 @@ class Projects::ClustersController < Projects::ApplicationController def login begin - @authorize_url = GoogleApi::CloudPlatform::Client.new( - nil, callback_google_api_auth_url, - state: namespace_project_clusters_url.to_s).authorize_url + GoogleApi::CloudPlatform::Client.session_key_for_second_redirect_uri.tap do |key, secure| + session[key] = namespace_project_clusters_url.to_s + + @authorize_url = GoogleApi::CloudPlatform::Client.new( + nil, callback_google_api_auth_url, + state: secure).authorize_url + end rescue GoogleApi::Auth::ConfigMissingError # no-op end |