diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-01-10 20:41:02 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-01-10 20:41:18 +0000 |
commit | 14d2af20ed388dc30da7cc103584b0229e0edb62 (patch) | |
tree | b8eea54390428ecd2a2f9b1568d42bbf9516a47d /app | |
parent | b69a74a63d5508767cd8b6ea5d1c966de0ee07fd (diff) | |
download | gitlab-ce-14d2af20ed388dc30da7cc103584b0229e0edb62.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-6-stable-ee
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/import/github_controller.rb | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/app/controllers/import/github_controller.rb b/app/controllers/import/github_controller.rb index d7aebd25432..55f4563285d 100644 --- a/app/controllers/import/github_controller.rb +++ b/app/controllers/import/github_controller.rb @@ -28,8 +28,14 @@ class Import::GithubController < Import::BaseController end def callback - session[access_token_key] = get_token(params[:code]) - redirect_to status_import_url + auth_state = session[auth_state_key] + session[auth_state_key] = nil + if auth_state.blank? || !ActiveSupport::SecurityUtils.secure_compare(auth_state, params[:state]) + provider_unauthorized + else + session[access_token_key] = get_token(params[:code]) + redirect_to status_import_url + end end def personal_access_token @@ -154,13 +160,16 @@ class Import::GithubController < Import::BaseController end def authorize_url + state = SecureRandom.base64(64) + session[auth_state_key] = state if Feature.enabled?(:remove_legacy_github_client) oauth_client.auth_code.authorize_url( redirect_uri: callback_import_url, - scope: 'repo, user, user:email' + scope: 'repo, user, user:email', + state: state ) else - client.authorize_url(callback_import_url) + client.authorize_url(callback_import_url, state) end end @@ -219,6 +228,10 @@ class Import::GithubController < Import::BaseController alert: _('Missing OAuth configuration for GitHub.') end + def auth_state_key + :"#{provider_name}_auth_state_key" + end + def access_token_key :"#{provider_name}_access_token" end |