summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--app/controllers/oauth/authorized_applications_controller.rb7
-rw-r--r--changelogs/unreleased/security-file-template-project.yml5
-rw-r--r--changelogs/unreleased/security-fix-CVE-2020-10187.yml5
-rw-r--r--spec/controllers/oauth/authorized_applications_controller_spec.rb21
4 files changed, 38 insertions, 0 deletions
diff --git a/app/controllers/oauth/authorized_applications_controller.rb b/app/controllers/oauth/authorized_applications_controller.rb
index 9cfa57c53a5..addec71f0bf 100644
--- a/app/controllers/oauth/authorized_applications_controller.rb
+++ b/app/controllers/oauth/authorized_applications_controller.rb
@@ -5,6 +5,13 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio
layout 'profile'
+ def index
+ respond_to do |format|
+ format.html { render "errors/not_found", layout: "errors", status: :not_found }
+ format.json { render json: "", status: :not_found }
+ end
+ end
+
def destroy
if params[:token_id].present?
current_resource_owner.oauth_authorized_tokens.find(params[:token_id]).revoke
diff --git a/changelogs/unreleased/security-file-template-project.yml b/changelogs/unreleased/security-file-template-project.yml
new file mode 100644
index 00000000000..ca4c88f20a6
--- /dev/null
+++ b/changelogs/unreleased/security-file-template-project.yml
@@ -0,0 +1,5 @@
+---
+title: Do not return private project ID without permission
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-fix-CVE-2020-10187.yml b/changelogs/unreleased/security-fix-CVE-2020-10187.yml
new file mode 100644
index 00000000000..5510f3dc5fb
--- /dev/null
+++ b/changelogs/unreleased/security-fix-CVE-2020-10187.yml
@@ -0,0 +1,5 @@
+---
+title: Fix doorkeeper CVE-2020-10187
+merge_request:
+author:
+type: security
diff --git a/spec/controllers/oauth/authorized_applications_controller_spec.rb b/spec/controllers/oauth/authorized_applications_controller_spec.rb
new file mode 100644
index 00000000000..32be6a3ddb7
--- /dev/null
+++ b/spec/controllers/oauth/authorized_applications_controller_spec.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Oauth::AuthorizedApplicationsController do
+ let(:user) { create(:user) }
+ let(:guest) { create(:user) }
+ let(:application) { create(:oauth_application, owner: guest) }
+
+ before do
+ sign_in(user)
+ end
+
+ describe 'GET #index' do
+ it 'responds with 404' do
+ get :index
+
+ expect(response).to have_gitlab_http_status(:not_found)
+ end
+ end
+end