Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee

2 files changed, 14 insertions, 0 deletions

diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index 55e03503ba9..cdfb3a32f4c 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -49,6 +49,7 @@ class Admin::UsersController < Admin::ApplicationController
       session[:impersonator_id] = current_user.id
 
       warden.set_user(user, scope: :user)
+      clear_access_token_session_keys!
 
       log_impersonation_event
 
diff --git a/app/controllers/concerns/impersonation.rb b/app/controllers/concerns/impersonation.rb
index 0764fbc8eb3..539dd9ad69d 100644
--- a/app/controllers/concerns/impersonation.rb
+++ b/app/controllers/concerns/impersonation.rb
@@ -3,6 +3,12 @@
 module Impersonation
   include Gitlab::Utils::StrongMemoize
 
+  SESSION_KEYS_TO_DELETE = %w(
+    github_access_token gitea_access_token gitlab_access_token
+    bitbucket_token bitbucket_refresh_token bitbucket_server_personal_access_token
+    bulk_import_gitlab_access_token fogbugz_token
+  ).freeze
+
   def current_user
     user = super
 
@@ -27,6 +33,7 @@ module Impersonation
 
     warden.set_user(impersonator, scope: :user)
     session[:impersonator_id] = nil
+    clear_access_token_session_keys!
 
     current_user
   end
@@ -39,6 +46,12 @@ module Impersonation
     Gitlab::AppLogger.info("User #{impersonator.username} has stopped impersonating #{current_user.username}")
   end
 
+  def clear_access_token_session_keys!
+    access_tokens_keys = session.keys & SESSION_KEYS_TO_DELETE
+
+    access_tokens_keys.each { |key| session.delete(key) }
+  end
+
   def impersonator
     strong_memoize(:impersonator) do
       User.find(session[:impersonator_id]) if session[:impersonator_id]