Merge branch '32059-fix-oauth-phishing' into 'security-10-1'

Prevent OAuth phishing attack by presenting detailed wording about app to user during authorization See merge request gitlab/gitlabhq!2205
2017-11-07 08:33:58 +00:00 · 2017-11-07 08:33:58 +00:00 · ab1f3b47a8
commit ab1f3b47a8
parent 304ceb144c
5 changed files with 44 additions and 7 deletions
--- a/app/assets/stylesheets/pages/settings.scss
+++ b/app/assets/stylesheets/pages/settings.scss
@ -249,3 +249,22 @@
    }
  }
 }
+
+.modal-doorkeepr-auth,
+.doorkeeper-app-form {
+  .scope-description {
+    color: $theme-gray-700;
+  }
+}
+
+.modal-doorkeepr-auth {
+  .modal-body {
+    padding: $gl-padding;
+  }
+}
+
+.doorkeeper-app-form {
+  .scope-description {
+    margin: 0 0 5px 17px;
+  }
+}
--- a/app/views/doorkeeper/applications/_form.html.haml
+++ b/app/views/doorkeeper/applications/_form.html.haml
@ -1,4 +1,4 @@
-= form_for application, url: doorkeeper_submit_path(application), html: {role: 'form'} do |f|
+= form_for application, url: doorkeeper_submit_path(application), html: { role: 'form', class: 'doorkeeper-app-form' } do |f|
  = form_errors(application)

  .form-group
--- a/app/views/doorkeeper/authorizations/new.html.haml
+++ b/app/views/doorkeeper/authorizations/new.html.haml
@ -1,5 +1,7 @@
+- auth_app_owner = @pre_auth.client.application.owner
+
 %main{ :role => "main" }
-  .modal-no-backdrop
+  .modal-no-backdrop.modal-doorkeepr-auth
    .modal-content
      .modal-header
        %h3.page-title
@ -16,14 +18,21 @@
              %strong= @pre_auth.client.name
              will allow them to interact with GitLab as an admin as well. Proceed with caution.
        %p
-          You are about to authorize
+          An application called
          = link_to @pre_auth.client.name, @pre_auth.redirect_uri, target: '_blank', rel: 'noopener noreferrer'
-          to use your account.
-          - if @pre_auth.scopes
+          is requesting access to your GitLab account. This application was created by
+          = succeed "." do
+            = link_to auth_app_owner.name, user_path(auth_app_owner)
+          Please note that this application is not provided by GitLab and you should verify its authenticity before
+          allowing access.
+        - if @pre_auth.scopes
+          %p
            This application will be able to:
            %ul
              - @pre_auth.scopes.each do |scope|
-                %li= t scope, scope: [:doorkeeper, :scopes]
+                %li
+                  %strong= t scope, scope: [:doorkeeper, :scopes]
+                  .scope-description= t scope, scope: [:doorkeeper, :scope_desc]
        .form-actions.text-right
          = form_tag oauth_authorization_path, method: :delete, class: 'inline'  do
            = hidden_field_tag :client_id, @pre_auth.client.uid
--- a/app/views/shared/tokens/_scopes_form.html.haml
+++ b/app/views/shared/tokens/_scopes_form.html.haml
@ -7,3 +7,4 @@
    = check_box_tag "#{prefix}[scopes][]", scope, token.scopes.include?(scope), id: "#{prefix}_scopes_#{scope}"
    = label_tag ("#{prefix}_scopes_#{scope}"), scope
    %span= t(scope, scope: [:doorkeeper, :scopes])
+    .scope-description= t scope, scope: [:doorkeeper, :scope_desc]
--- a/config/locales/doorkeeper.en.yml
+++ b/config/locales/doorkeeper.en.yml
@ -62,7 +62,15 @@ en:
      read_user: Read the authenticated user's personal information
      openid: Authenticate using OpenID Connect
      sudo: Perform API actions as any user in the system (if the authenticated user is an admin)
-
+    scope_desc:
+      api:
+        Full access to GitLab as the user, including read/write on all their groups and projects
+      read_user:
+        Read-only access to the user's profile information, like username, public email and full name
+      openid:
+        The ability to authenticate using GitLab, and read-only access to the user's profile information
+      sudo:
+        Access to the Sudo feature, to perform API actions as any user in the system (only available for admins)
    flash:
      applications:
        create: