diff options
4 files changed, 38 insertions, 0 deletions
diff --git a/app/controllers/oauth/authorized_applications_controller.rb b/app/controllers/oauth/authorized_applications_controller.rb index 9cfa57c53a5..addec71f0bf 100644 --- a/app/controllers/oauth/authorized_applications_controller.rb +++ b/app/controllers/oauth/authorized_applications_controller.rb @@ -5,6 +5,13 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio layout 'profile' + def index + respond_to do |format| + format.html { render "errors/not_found", layout: "errors", status: :not_found } + format.json { render json: "", status: :not_found } + end + end + def destroy if params[:token_id].present? current_resource_owner.oauth_authorized_tokens.find(params[:token_id]).revoke diff --git a/changelogs/unreleased/security-file-template-project.yml b/changelogs/unreleased/security-file-template-project.yml new file mode 100644 index 00000000000..ca4c88f20a6 --- /dev/null +++ b/changelogs/unreleased/security-file-template-project.yml @@ -0,0 +1,5 @@ +--- +title: Do not return private project ID without permission +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-CVE-2020-10187.yml b/changelogs/unreleased/security-fix-CVE-2020-10187.yml new file mode 100644 index 00000000000..5510f3dc5fb --- /dev/null +++ b/changelogs/unreleased/security-fix-CVE-2020-10187.yml @@ -0,0 +1,5 @@ +--- +title: Fix doorkeeper CVE-2020-10187 +merge_request: +author: +type: security diff --git a/spec/controllers/oauth/authorized_applications_controller_spec.rb b/spec/controllers/oauth/authorized_applications_controller_spec.rb new file mode 100644 index 00000000000..32be6a3ddb7 --- /dev/null +++ b/spec/controllers/oauth/authorized_applications_controller_spec.rb @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Oauth::AuthorizedApplicationsController do + let(:user) { create(:user) } + let(:guest) { create(:user) } + let(:application) { create(:oauth_application, owner: guest) } + + before do + sign_in(user) + end + + describe 'GET #index' do + it 'responds with 404' do + get :index + + expect(response).to have_gitlab_http_status(:not_found) + end + end +end |