diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 17:20:57 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 17:20:57 +0300 |
commit | fd785650f402789e31c584d823e47c92dceb2250 (patch) | |
tree | 1832cf613c404857fdafe7bae80f5b22b1758bf9 /app | |
parent | f30bc8a2ed896546ff567dc1fbb824d5264f1e74 (diff) | |
parent | 1461913399038aefd786dc807ee5e3361639a565 (diff) |
Merge branch 'security-kubernetes-google-login-csrf-11-7' into '11-7-stable'
Validate session key when authorizing with GCP to create a cluster
See merge request gitlab/gitlabhq!2935
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/google_api/authorizations_controller.rb | 32 |
1 files changed, 21 insertions, 11 deletions
diff --git a/app/controllers/google_api/authorizations_controller.rb b/app/controllers/google_api/authorizations_controller.rb index dd9f5af61b3..ed0995e7ffd 100644 --- a/app/controllers/google_api/authorizations_controller.rb +++ b/app/controllers/google_api/authorizations_controller.rb @@ -2,6 +2,10 @@ module GoogleApi class AuthorizationsController < ApplicationController + include Gitlab::Utils::StrongMemoize + + before_action :validate_session_key! + def callback token, expires_at = GoogleApi::CloudPlatform::Client .new(nil, callback_google_api_auth_url) @@ -11,21 +15,27 @@ module GoogleApi session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at] = expires_at.to_s - state_redirect_uri = redirect_uri_from_session_key(params[:state]) - - if state_redirect_uri - redirect_to state_redirect_uri - else - redirect_to root_path - end + redirect_to redirect_uri_from_session end private - def redirect_uri_from_session_key(state) - key = GoogleApi::CloudPlatform::Client - .session_key_for_redirect_uri(params[:state]) - session[key] if key + def validate_session_key! + access_denied! unless redirect_uri_from_session.present? + end + + def redirect_uri_from_session + strong_memoize(:redirect_uri_from_session) do + if params[:state].present? + session[session_key_for_redirect_uri(params[:state])] + else + nil + end + end + end + + def session_key_for_redirect_uri(state) + GoogleApi::CloudPlatform::Client.session_key_for_redirect_uri(state) end end end |