Remove ability to revoke active session
Session ID is used as a parameter for the revoke session endpoint but it should never be included in the HTML as an attacker could obtain it via XSS.
This commit is contained in:
parent
44c4aad983
commit
038d530565
|
@ -4,13 +4,4 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController
|
|||
def index
|
||||
@sessions = ActiveSession.list(current_user).reject(&:is_impersonated)
|
||||
end
|
||||
|
||||
def destroy
|
||||
ActiveSession.destroy(current_user, params[:id])
|
||||
|
||||
respond_to do |format|
|
||||
format.html { redirect_to profile_active_sessions_url, status: :found }
|
||||
format.js { head :ok }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -23,9 +23,3 @@
|
|||
%strong Signed in
|
||||
on
|
||||
= l(active_session.created_at, format: :short)
|
||||
|
||||
- unless is_current_session
|
||||
.float-right
|
||||
= link_to profile_active_session_path(active_session.session_id), data: { confirm: 'Are you sure? The device will be signed out of GitLab.' }, method: :delete, class: "btn btn-danger prepend-left-10" do
|
||||
%span.sr-only Revoke
|
||||
Revoke
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
title: Do not display impersonated sessions under active sessions and remove ability
|
||||
to revoke session
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -4,7 +4,7 @@
|
|||
> in GitLab 10.8.
|
||||
|
||||
GitLab lists all devices that have logged into your account. This allows you to
|
||||
review the sessions and revoke any of it that you don't recognize.
|
||||
review the sessions.
|
||||
|
||||
## Listing all active sessions
|
||||
|
||||
|
@ -12,9 +12,3 @@ review the sessions and revoke any of it that you don't recognize.
|
|||
1. Navigate to the **Active Sessions** tab.
|
||||
|
||||
![Active sessions list](img/active_sessions_list.png)
|
||||
|
||||
## Revoking a session
|
||||
|
||||
1. Navigate to your [profile's](#profile-settings) **Settings > Active Sessions**.
|
||||
1. Click on **Revoke** besides a session. The current session cannot be
|
||||
revoked, as this would sign you out of GitLab.
|
||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 22 KiB After Width: | Height: | Size: 19 KiB |
|
@ -82,31 +82,4 @@ describe 'Profile > Active Sessions', :clean_gitlab_redis_shared_state do
|
|||
expect(page).not_to have_content('Chrome on Windows')
|
||||
end
|
||||
end
|
||||
|
||||
it 'User can revoke a session', :js, :redis_session_store do
|
||||
Capybara::Session.new(:session1)
|
||||
Capybara::Session.new(:session2)
|
||||
|
||||
# set an additional session in another browser
|
||||
using_session :session2 do
|
||||
gitlab_sign_in(user)
|
||||
end
|
||||
|
||||
using_session :session1 do
|
||||
gitlab_sign_in(user)
|
||||
visit profile_active_sessions_path
|
||||
|
||||
expect(page).to have_link('Revoke', count: 1)
|
||||
|
||||
accept_confirm { click_on 'Revoke' }
|
||||
|
||||
expect(page).not_to have_link('Revoke')
|
||||
end
|
||||
|
||||
using_session :session2 do
|
||||
visit profile_active_sessions_path
|
||||
|
||||
expect(page).to have_content('You need to sign in or sign up before continuing.')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue