diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 21:36:48 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 21:36:48 +0300 |
commit | 6412a3e007eef5fa9ee0cdfd288200d4cc2ee06b (patch) | |
tree | b9bb59cf9f4430c0a98f8da54586dfd6f74cf15e /app | |
parent | 9e4a9cda8cf0f77475195bf980a14da70ddd42a5 (diff) | |
parent | fc8c1a77d36003795586fe076243b6eb90db6f03 (diff) |
Merge branch 'security-kubernetes-google-login-csrf' into 'master'
Validate session key when authorizing with GCP to create a cluster
Closes #2805
See merge request gitlab/gitlabhq!2902
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/google_api/authorizations_controller.rb | 32 |
1 files changed, 21 insertions, 11 deletions
diff --git a/app/controllers/google_api/authorizations_controller.rb b/app/controllers/google_api/authorizations_controller.rb index dd9f5af61b3..ed0995e7ffd 100644 --- a/app/controllers/google_api/authorizations_controller.rb +++ b/app/controllers/google_api/authorizations_controller.rb @@ -2,6 +2,10 @@ module GoogleApi class AuthorizationsController < ApplicationController + include Gitlab::Utils::StrongMemoize + + before_action :validate_session_key! + def callback token, expires_at = GoogleApi::CloudPlatform::Client .new(nil, callback_google_api_auth_url) @@ -11,21 +15,27 @@ module GoogleApi session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at] = expires_at.to_s - state_redirect_uri = redirect_uri_from_session_key(params[:state]) - - if state_redirect_uri - redirect_to state_redirect_uri - else - redirect_to root_path - end + redirect_to redirect_uri_from_session end private - def redirect_uri_from_session_key(state) - key = GoogleApi::CloudPlatform::Client - .session_key_for_redirect_uri(params[:state]) - session[key] if key + def validate_session_key! + access_denied! unless redirect_uri_from_session.present? + end + + def redirect_uri_from_session + strong_memoize(:redirect_uri_from_session) do + if params[:state].present? + session[session_key_for_redirect_uri(params[:state])] + else + nil + end + end + end + + def session_key_for_redirect_uri(state) + GoogleApi::CloudPlatform::Client.session_key_for_redirect_uri(state) end end end |