From 027c3264adbb24a5398241a9eecc218150943cd1 Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Wed, 26 Sep 2018 10:53:57 -0700 Subject: [PATCH] Guard against a login attempt with invalid CSRF token If a user logs in with a bad CSRF token, the Warden before_logout hook will be called with no valid user. This would lead to odd Error 500 messages with a backtrace. Addresses part of #50857 --- .../unreleased/sh-guard-against-ldap-login-csrf-fail.yml | 5 +++++ config/initializers/warden.rb | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml diff --git a/changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml b/changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml new file mode 100644 index 00000000000..7233f6f3d7b --- /dev/null +++ b/changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml @@ -0,0 +1,5 @@ +--- +title: Guard against a login attempt with invalid CSRF token +merge_request: 21934 +author: +type: fixed diff --git a/config/initializers/warden.rb b/config/initializers/warden.rb index 33f55069c3e..1d2bb2bce0a 100644 --- a/config/initializers/warden.rb +++ b/config/initializers/warden.rb @@ -31,6 +31,11 @@ Rails.application.configure do |config| Warden::Manager.before_logout(scope: :user) do |user, auth, opts| user ||= auth.user + + # Rails CSRF protection may attempt to log out a user before that + # user even logs in + next unless user + activity = Gitlab::Auth::Activity.new(opts) tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)