Merge branch 'security-fix-uri-xss-applications' into 'master'

[master] Resolve "Reflected XSS in OAuth Authorize window due to redirect_uri allowing arbitrary protocols" See merge request gitlab/gitlabhq!2572
author: Cindy Pallares <cindy@gitlab.com> 2018-11-28 22:53:48 +0000
committer: Cindy Pallares <cindy@gitlab.com> 2018-11-28 19:14:15 -0500
commit: 5736d6606ad7c6d729baa6c4ef789a47ada4ceda (patch)
tree: 1ae542a04e8782f61a592e3bceeacc087639a1e5 /config/initializers
parent: c0e5d9afee57745a79c072b0f57fdcbe164312da (diff)
download: gitlab-ce-5736d6606ad7c6d729baa6c4ef789a47ada4ceda.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
index f321b4ea763..6be5c00daaa 100644
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -48,6 +48,13 @@ Doorkeeper.configure do
   #
   force_ssl_in_redirect_uri false
 
+  # Specify what redirect URI's you want to block during Application creation.
+  # Any redirect URI is whitelisted by default.
+  #
+  # You can use this option in order to forbid URI's with 'javascript' scheme
+  # for example.
+  forbid_redirect_uri { |uri| %w[data vbscript javascript].include?(uri.scheme.to_s.downcase) }
+
   # Provide support for an owner to be assigned to each registered application (disabled by default)
   # Optional parameter confirmation: true (default false) if you want to enforce ownership of
   # a registered application
author	Cindy Pallares <cindy@gitlab.com>	2018-11-28 22:53:48 +0000
committer	Cindy Pallares <cindy@gitlab.com>	2018-11-28 19:14:15 -0500
commit	5736d6606ad7c6d729baa6c4ef789a47ada4ceda (patch)
tree	1ae542a04e8782f61a592e3bceeacc087639a1e5 /config/initializers
parent	c0e5d9afee57745a79c072b0f57fdcbe164312da (diff)
download	gitlab-ce-5736d6606ad7c6d729baa6c4ef789a47ada4ceda.tar.gz