Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
5332995c
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
未验证
提交
5332995c
编写于
10月 25, 2018
作者:
J
James Lopez
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Resolve reflected XSS in Ouath authorize window
上级
34d84fd2
变更
8
显示空白变更内容
内联
并排
Showing
8 changed file
with
122 addition
and
3 deletion
+122
-3
app/controllers/oauth/applications_controller.rb
app/controllers/oauth/applications_controller.rb
+1
-1
changelogs/unreleased/security-fix-uri-xss-applications.yml
changelogs/unreleased/security-fix-uri-xss-applications.yml
+5
-0
config/initializers/doorkeeper.rb
config/initializers/doorkeeper.rb
+7
-0
db/post_migrate/20181026091631_migrate_forbidden_redirect_uris.rb
...migrate/20181026091631_migrate_forbidden_redirect_uris.rb
+32
-0
db/schema.rb
db/schema.rb
+1
-1
spec/controllers/oauth/applications_controller_spec.rb
spec/controllers/oauth/applications_controller_spec.rb
+17
-0
spec/migrations/migrate_forbidden_redirect_uris_spec.rb
spec/migrations/migrate_forbidden_redirect_uris_spec.rb
+48
-0
spec/requests/api/applications_spec.rb
spec/requests/api/applications_spec.rb
+11
-1
未找到文件。
app/controllers/oauth/applications_controller.rb
浏览文件 @
5332995c
...
...
@@ -9,7 +9,7 @@ class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
before_action
:verify_user_oauth_applications_enabled
,
except: :index
before_action
:authenticate_user!
before_action
:add_gon_variables
before_action
:load_scopes
,
only:
[
:index
,
:create
,
:edit
]
before_action
:load_scopes
,
only:
[
:index
,
:create
,
:edit
,
:update
]
helper_method
:can?
...
...
changelogs/unreleased/security-fix-uri-xss-applications.yml
0 → 100644
浏览文件 @
5332995c
---
title
:
Resolve reflected XSS in Ouath authorize window
merge_request
:
author
:
type
:
security
config/initializers/doorkeeper.rb
浏览文件 @
5332995c
...
...
@@ -48,6 +48,13 @@ Doorkeeper.configure do
#
force_ssl_in_redirect_uri
false
# Specify what redirect URI's you want to block during Application creation.
# Any redirect URI is whitelisted by default.
#
# You can use this option in order to forbid URI's with 'javascript' scheme
# for example.
forbid_redirect_uri
{
|
uri
|
%w[data vbscript javascript]
.
include?
(
uri
.
scheme
.
to_s
.
downcase
)
}
# Provide support for an owner to be assigned to each registered application (disabled by default)
# Optional parameter confirmation: true (default false) if you want to enforce ownership of
# a registered application
...
...
db/post_migrate/20181026091631_migrate_forbidden_redirect_uris.rb
0 → 100644
浏览文件 @
5332995c
# frozen_string_literal: true
class
MigrateForbiddenRedirectUris
<
ActiveRecord
::
Migration
include
Gitlab
::
Database
::
MigrationHelpers
DOWNTIME
=
false
FORBIDDEN_SCHEMES
=
%w[data:// vbscript:// javascript://]
NEW_URI
=
'http://forbidden-scheme-has-been-overwritten'
disable_ddl_transaction!
def
up
update_forbidden_uris
(
:oauth_applications
)
update_forbidden_uris
(
:oauth_access_grants
)
end
def
down
# noop
end
private
def
update_forbidden_uris
(
table_name
)
update_column_in_batches
(
table_name
,
:redirect_uri
,
NEW_URI
)
do
|
table
,
query
|
where_clause
=
FORBIDDEN_SCHEMES
.
map
do
|
scheme
|
table
[
:redirect_uri
].
matches
(
"
#{
scheme
}
%"
)
end
.
inject
(
&
:or
)
query
.
where
(
where_clause
)
end
end
end
db/schema.rb
浏览文件 @
5332995c
...
...
@@ -11,7 +11,7 @@
#
# It's strongly recommended that you check this file into your version control system.
ActiveRecord
::
Schema
.
define
(
version:
201810
13005024
)
do
ActiveRecord
::
Schema
.
define
(
version:
201810
26091631
)
do
# These are extensions that must be enabled in order to support this database
enable_extension
"plpgsql"
...
...
spec/controllers/oauth/applications_controller_spec.rb
浏览文件 @
5332995c
...
...
@@ -40,6 +40,23 @@ describe Oauth::ApplicationsController do
expect
(
response
).
to
have_gitlab_http_status
(
302
)
expect
(
response
).
to
redirect_to
(
profile_path
)
end
context
'redirect_uri'
do
render_views
it
'shows an error for a forbidden URI'
do
invalid_uri_params
=
{
doorkeeper_application:
{
name:
'foo'
,
redirect_uri:
'javascript://alert()'
}
}
post
:create
,
invalid_uri_params
expect
(
response
.
body
).
to
include
'Redirect URI is forbidden by the server'
end
end
end
end
...
...
spec/migrations/migrate_forbidden_redirect_uris_spec.rb
0 → 100644
浏览文件 @
5332995c
# frozen_string_literal: true
require
'spec_helper'
require
Rails
.
root
.
join
(
'db'
,
'post_migrate'
,
'20181026091631_migrate_forbidden_redirect_uris.rb'
)
describe
MigrateForbiddenRedirectUris
,
:migration
do
let
(
:oauth_application
)
{
table
(
:oauth_applications
)
}
let
(
:oauth_access_grant
)
{
table
(
:oauth_access_grants
)
}
let!
(
:control_app
)
{
oauth_application
.
create
(
random_params
)
}
let!
(
:control_access_grant
)
{
oauth_application
.
create
(
random_params
)
}
let!
(
:forbidden_js_app
)
{
oauth_application
.
create
(
random_params
.
merge
(
redirect_uri:
'javascript://alert()'
))
}
let!
(
:forbidden_vb_app
)
{
oauth_application
.
create
(
random_params
.
merge
(
redirect_uri:
'VBSCRIPT://alert()'
))
}
let!
(
:forbidden_access_grant
)
{
oauth_application
.
create
(
random_params
.
merge
(
redirect_uri:
'vbscript://alert()'
))
}
context
'oauth application'
do
it
'migrates forbidden javascript URI'
do
expect
{
migrate!
}.
to
change
{
forbidden_js_app
.
reload
.
redirect_uri
}.
to
(
'http://forbidden-scheme-has-been-overwritten'
)
end
it
'migrates forbidden VBScript URI'
do
expect
{
migrate!
}.
to
change
{
forbidden_vb_app
.
reload
.
redirect_uri
}.
to
(
'http://forbidden-scheme-has-been-overwritten'
)
end
it
'does not migrate a valid URI'
do
expect
{
migrate!
}.
not_to
change
{
control_app
.
reload
.
redirect_uri
}
end
end
context
'access grant'
do
it
'migrates forbidden VBScript URI'
do
expect
{
migrate!
}.
to
change
{
forbidden_access_grant
.
reload
.
redirect_uri
}.
to
(
'http://forbidden-scheme-has-been-overwritten'
)
end
it
'does not migrate a valid URI'
do
expect
{
migrate!
}.
not_to
change
{
control_access_grant
.
reload
.
redirect_uri
}
end
end
def
random_params
{
name:
'test'
,
secret:
'test'
,
uid:
Doorkeeper
::
OAuth
::
Helpers
::
UniqueToken
.
generate
,
redirect_uri:
'http://valid.com'
}
end
end
spec/requests/api/applications_spec.rb
浏览文件 @
5332995c
...
...
@@ -25,7 +25,7 @@ describe API::Applications, :api do
it
'does not allow creating an application with the wrong redirect_uri format'
do
expect
do
post
api
(
'/applications'
,
admin_user
),
name:
'application_name'
,
redirect_uri:
'
wrong_url_format
'
,
scopes:
''
post
api
(
'/applications'
,
admin_user
),
name:
'application_name'
,
redirect_uri:
'
http://
'
,
scopes:
''
end
.
not_to
change
{
Doorkeeper
::
Application
.
count
}
expect
(
response
).
to
have_gitlab_http_status
(
400
)
...
...
@@ -33,6 +33,16 @@ describe API::Applications, :api do
expect
(
json_response
[
'message'
][
'redirect_uri'
][
0
]).
to
eq
(
'must be an absolute URI.'
)
end
it
'does not allow creating an application with a forbidden URI format'
do
expect
do
post
api
(
'/applications'
,
admin_user
),
name:
'application_name'
,
redirect_uri:
'javascript://alert()'
,
scopes:
''
end
.
not_to
change
{
Doorkeeper
::
Application
.
count
}
expect
(
response
).
to
have_gitlab_http_status
(
400
)
expect
(
json_response
).
to
be_a
Hash
expect
(
json_response
[
'message'
][
'redirect_uri'
][
0
]).
to
eq
(
'is forbidden by the server.'
)
end
it
'does not allow creating an application without a name'
do
expect
do
post
api
(
'/applications'
,
admin_user
),
redirect_uri:
'http://application.url'
,
scopes:
''
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录