diff options
Diffstat (limited to 'app/controllers/import/github_controller.rb')
-rw-r--r-- | app/controllers/import/github_controller.rb | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/app/controllers/import/github_controller.rb b/app/controllers/import/github_controller.rb index d7aebd25432..55f4563285d 100644 --- a/app/controllers/import/github_controller.rb +++ b/app/controllers/import/github_controller.rb @@ -28,8 +28,14 @@ class Import::GithubController < Import::BaseController end def callback - session[access_token_key] = get_token(params[:code]) - redirect_to status_import_url + auth_state = session[auth_state_key] + session[auth_state_key] = nil + if auth_state.blank? || !ActiveSupport::SecurityUtils.secure_compare(auth_state, params[:state]) + provider_unauthorized + else + session[access_token_key] = get_token(params[:code]) + redirect_to status_import_url + end end def personal_access_token @@ -154,13 +160,16 @@ class Import::GithubController < Import::BaseController end def authorize_url + state = SecureRandom.base64(64) + session[auth_state_key] = state if Feature.enabled?(:remove_legacy_github_client) oauth_client.auth_code.authorize_url( redirect_uri: callback_import_url, - scope: 'repo, user, user:email' + scope: 'repo, user, user:email', + state: state ) else - client.authorize_url(callback_import_url) + client.authorize_url(callback_import_url, state) end end @@ -219,6 +228,10 @@ class Import::GithubController < Import::BaseController alert: _('Missing OAuth configuration for GitHub.') end + def auth_state_key + :"#{provider_name}_auth_state_key" + end + def access_token_key :"#{provider_name}_access_token" end |