Remove ability to revoke active session
Session ID is used as a parameter for the revoke session endpoint but it should never be included in the HTML as an attacker could obtain it via XSS.
This commit is contained in:
parent
44c4aad983
commit
038d530565
|
@ -4,13 +4,4 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController
|
||||||
def index
|
def index
|
||||||
@sessions = ActiveSession.list(current_user).reject(&:is_impersonated)
|
@sessions = ActiveSession.list(current_user).reject(&:is_impersonated)
|
||||||
end
|
end
|
||||||
|
|
||||||
def destroy
|
|
||||||
ActiveSession.destroy(current_user, params[:id])
|
|
||||||
|
|
||||||
respond_to do |format|
|
|
||||||
format.html { redirect_to profile_active_sessions_url, status: :found }
|
|
||||||
format.js { head :ok }
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -23,9 +23,3 @@
|
||||||
%strong Signed in
|
%strong Signed in
|
||||||
on
|
on
|
||||||
= l(active_session.created_at, format: :short)
|
= l(active_session.created_at, format: :short)
|
||||||
|
|
||||||
- unless is_current_session
|
|
||||||
.float-right
|
|
||||||
= link_to profile_active_session_path(active_session.session_id), data: { confirm: 'Are you sure? The device will be signed out of GitLab.' }, method: :delete, class: "btn btn-danger prepend-left-10" do
|
|
||||||
%span.sr-only Revoke
|
|
||||||
Revoke
|
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
title: Do not display impersonated sessions under active sessions and remove ability
|
||||||
|
to revoke session
|
||||||
|
merge_request:
|
||||||
|
author:
|
||||||
|
type: security
|
|
@ -4,7 +4,7 @@
|
||||||
> in GitLab 10.8.
|
> in GitLab 10.8.
|
||||||
|
|
||||||
GitLab lists all devices that have logged into your account. This allows you to
|
GitLab lists all devices that have logged into your account. This allows you to
|
||||||
review the sessions and revoke any of it that you don't recognize.
|
review the sessions.
|
||||||
|
|
||||||
## Listing all active sessions
|
## Listing all active sessions
|
||||||
|
|
||||||
|
@ -12,9 +12,3 @@ review the sessions and revoke any of it that you don't recognize.
|
||||||
1. Navigate to the **Active Sessions** tab.
|
1. Navigate to the **Active Sessions** tab.
|
||||||
|
|
||||||
![Active sessions list](img/active_sessions_list.png)
|
![Active sessions list](img/active_sessions_list.png)
|
||||||
|
|
||||||
## Revoking a session
|
|
||||||
|
|
||||||
1. Navigate to your [profile's](#profile-settings) **Settings > Active Sessions**.
|
|
||||||
1. Click on **Revoke** besides a session. The current session cannot be
|
|
||||||
revoked, as this would sign you out of GitLab.
|
|
||||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 22 KiB After Width: | Height: | Size: 19 KiB |
|
@ -82,31 +82,4 @@ describe 'Profile > Active Sessions', :clean_gitlab_redis_shared_state do
|
||||||
expect(page).not_to have_content('Chrome on Windows')
|
expect(page).not_to have_content('Chrome on Windows')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'User can revoke a session', :js, :redis_session_store do
|
|
||||||
Capybara::Session.new(:session1)
|
|
||||||
Capybara::Session.new(:session2)
|
|
||||||
|
|
||||||
# set an additional session in another browser
|
|
||||||
using_session :session2 do
|
|
||||||
gitlab_sign_in(user)
|
|
||||||
end
|
|
||||||
|
|
||||||
using_session :session1 do
|
|
||||||
gitlab_sign_in(user)
|
|
||||||
visit profile_active_sessions_path
|
|
||||||
|
|
||||||
expect(page).to have_link('Revoke', count: 1)
|
|
||||||
|
|
||||||
accept_confirm { click_on 'Revoke' }
|
|
||||||
|
|
||||||
expect(page).not_to have_link('Revoke')
|
|
||||||
end
|
|
||||||
|
|
||||||
using_session :session2 do
|
|
||||||
visit profile_active_sessions_path
|
|
||||||
|
|
||||||
expect(page).to have_content('You need to sign in or sign up before continuing.')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue