From d687f6436a14c8b36f1a560ee95222bb2d4fb63f Mon Sep 17 00:00:00 2001
From: Sean McGivern <sean@gitlab.com>
Date: Wed, 5 Apr 2017 21:17:49 +0000
Subject: Merge branch 'open-redirect-fix-continue-to' into 'security'

Fix for open redirect vuln involving continue[to] params

See merge request !2083
---
 app/controllers/concerns/continue_params.rb             | 1 +
 changelogs/unreleased/open-redirect-continue-params.yml | 4 ++++
 spec/controllers/projects/imports_controller_spec.rb    | 9 ++++++++-
 3 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/open-redirect-continue-params.yml

diff --git a/app/controllers/concerns/continue_params.rb b/app/controllers/concerns/continue_params.rb
index 0a995c45bdf..eb3a623acdd 100644
--- a/app/controllers/concerns/continue_params.rb
+++ b/app/controllers/concerns/continue_params.rb
@@ -7,6 +7,7 @@ module ContinueParams
 
     continue_params = continue_params.permit(:to, :notice, :notice_now)
     return unless continue_params[:to] && continue_params[:to].start_with?('/')
+    return if continue_params[:to].start_with?('//')
 
     continue_params
   end
diff --git a/changelogs/unreleased/open-redirect-continue-params.yml b/changelogs/unreleased/open-redirect-continue-params.yml
new file mode 100644
index 00000000000..def3bc7d929
--- /dev/null
+++ b/changelogs/unreleased/open-redirect-continue-params.yml
@@ -0,0 +1,4 @@
+---
+title: Fix for open redirect vulnerability using continue[to] in URL when requesting project import status.
+merge_request: 
+author:
diff --git a/spec/controllers/projects/imports_controller_spec.rb b/spec/controllers/projects/imports_controller_spec.rb
index 7c75815f3c4..6724b474179 100644
--- a/spec/controllers/projects/imports_controller_spec.rb
+++ b/spec/controllers/projects/imports_controller_spec.rb
@@ -96,12 +96,19 @@ describe Projects::ImportsController do
             }
           end
 
-          it 'redirects to params[:to]' do
+          it 'redirects to internal params[:to]' do
             get :show, namespace_id: project.namespace.to_param, project_id: project, continue: params
 
             expect(flash[:notice]).to eq params[:notice]
             expect(response).to redirect_to params[:to]
           end
+
+          it 'does not redirect to external params[:to]' do
+            params[:to] = "//google.com"
+
+            get :show, namespace_id: project.namespace.to_param, project_id: project, continue: params
+            expect(response).not_to redirect_to params[:to]
+          end
         end
       end
 
-- 
cgit v1.2.1