1 files changed, 16 insertions, 7 deletions

diff --git a/app/controllers/import/bitbucket_controller.rb b/app/controllers/import/bitbucket_controller.rb
index cfd86429df0..7c9525d1744 100644
--- a/app/controllers/import/bitbucket_controller.rb
+++ b/app/controllers/import/bitbucket_controller.rb
@@ -12,14 +12,21 @@ class Import::BitbucketController < Import::BaseController
   rescue_from Bitbucket::Error::Unauthorized, with: :bitbucket_unauthorized
 
   def callback
-    response = oauth_client.auth_code.get_token(params[:code], redirect_uri: users_import_bitbucket_callback_url)
+    auth_state = session[:bitbucket_auth_state]
+    session[:bitbucket_auth_state] = nil
 
-    session[:bitbucket_token]         = response.token
-    session[:bitbucket_expires_at]    = response.expires_at
-    session[:bitbucket_expires_in]    = response.expires_in
-    session[:bitbucket_refresh_token] = response.refresh_token
+    if auth_state.blank? || !ActiveSupport::SecurityUtils.secure_compare(auth_state, params[:state])
+      go_to_bitbucket_for_permissions
+    else
+      response = oauth_client.auth_code.get_token(params[:code], redirect_uri: users_import_bitbucket_callback_url)
+
+      session[:bitbucket_token]         = response.token
+      session[:bitbucket_expires_at]    = response.expires_at
+      session[:bitbucket_expires_in]    = response.expires_in
+      session[:bitbucket_refresh_token] = response.refresh_token
 
-    redirect_to status_import_bitbucket_url
+      redirect_to status_import_bitbucket_url
+    end
   end
 
   def status
@@ -113,7 +120,9 @@ class Import::BitbucketController < Import::BaseController
   end
 
   def go_to_bitbucket_for_permissions
-    redirect_to oauth_client.auth_code.authorize_url(redirect_uri: users_import_bitbucket_callback_url)
+    state = SecureRandom.base64(64)
+    session[:bitbucket_auth_state] = state
+    redirect_to oauth_client.auth_code.authorize_url(redirect_uri: users_import_bitbucket_callback_url, state: state)
   end
 
   def bitbucket_unauthorized(exception)