Added random salt and hashing to oauth state parameter

This ensures that content of state is generated by CI, but doesn't prevent replay attacks on state parameter.
author: Kamil Trzcinski <ayufan@ayufan.eu> 2015-07-08 14:10:53 +0200
committer: Kamil Trzcinski <ayufan@ayufan.eu> 2015-07-08 14:10:58 +0200
commit: 65b38e5bc1b575c104a4209501b48dda60a3ca89 (patch)
tree: 39637eb2d7d1bcfdd5eba343166135c4c48fe739 /app/helpers
parent: 52cc9a572484a87cea542448e6d439b7c6032e04 (diff)
download: gitlab-ci-65b38e5bc1b575c104a4209501b48dda60a3ca89.tar.gz
1 files changed, 27 insertions, 0 deletions
diff --git a/app/helpers/user_sessions_helper.rb b/app/helpers/user_sessions_helper.rb
index 2018402..e5853b5 100644
--- a/app/helpers/user_sessions_helper.rb
+++ b/app/helpers/user_sessions_helper.rb
@@ -1,2 +1,29 @@
 module UserSessionsHelper
+  def generate_oauth_salt
+    SecureRandom.hex(16)
+  end
+
+  def generate_oauth_secret(salt, return_to)
+    return unless return_to
+    message = GitlabCi::Application.config.secret_key_base + salt + return_to
+    Digest::SHA256.hexdigest message
+  end
+
+  def generate_oauth_state(return_to)
+    return unless return_to
+    salt = generate_oauth_salt
+    secret = generate_oauth_secret(salt, return_to)
+    "#{salt}:#{secret}:#{return_to}"
+  end
+
+  def get_ouath_state_return_to(state)
+    state.split(':', 3)[2] if state
+  end
+
+  def is_oauth_state_valid?(state)
+    return true unless state
+    salt, secret, return_to = state.split(':', 3)
+    return false unless return_to
+    secret == generate_oauth_secret(salt, return_to)
+  end
 end
author	Kamil Trzcinski <ayufan@ayufan.eu>	2015-07-08 14:10:53 +0200
committer	Kamil Trzcinski <ayufan@ayufan.eu>	2015-07-08 14:10:58 +0200
commit	65b38e5bc1b575c104a4209501b48dda60a3ca89 (patch)
tree	39637eb2d7d1bcfdd5eba343166135c4c48fe739 /app/helpers
parent	52cc9a572484a87cea542448e6d439b7c6032e04 (diff)
download	gitlab-ci-65b38e5bc1b575c104a4209501b48dda60a3ca89.tar.gz