diff options
| author | Kamil Trzciński <ayufan@ayufan.eu> | 2015-07-09 14:04:27 +0000 |
|---|---|---|
| committer | Kamil Trzciński <ayufan@ayufan.eu> | 2015-07-09 14:04:27 +0000 |
| commit | 349a1b80344ba17f27144d1445383576d60b09c6 (patch) | |
| tree | f6f4aa12682d4d337a9568594c1704b19b245180 /spec/models/commit_spec.rb | |
| parent | 8ff0c1798bf89fb1d47f16eab9c5a90c006d404a (diff) | |
| parent | f4503da9e82f1c4ed91d55023193e1c2113b240e (diff) | |
| download | gitlab-ci-349a1b80344ba17f27144d1445383576d60b09c6.tar.gz | |
Merge branch 'secure-oauth-state' into 'master'
Added random salt and hashing to oauth state parameter
This ensures signs state parameter. The generated state is built like this:
```
salt = random_hex(16bytes)
secret = sha256_hex(gitlab_ci_secret + salt + return_to)
state = "salt:secret:return_to"
```
This prevents from faking the state and forcing redirect to provided URL. However this doesn't prevent replay attacks if you know the valid `state` parameter for specific `return_to`. Should we be concerned about it?
/cc @vsizov @jacobvosmaer
See merge request !192
Diffstat (limited to 'spec/models/commit_spec.rb')
0 files changed, 0 insertions, 0 deletions