Set issuable_sort and diff_view cookies to secure when possible
Closes #49120
This commit is contained in:
Stan Hu
parent
ba99dfcde2
commit
b9cee4ba3c
5 changed files with 52 additions and 5 deletions
|
|
@ -1,5 +1,6 @@
|
|||
module IssuableCollections
|
||||
extend ActiveSupport::Concern
|
||||
include CookiesHelper
|
||||
include SortingHelper
|
||||
include Gitlab::IssuableMetadata
|
||||
include Gitlab::Utils::StrongMemoize
|
||||
|
|
@ -107,11 +108,14 @@ module IssuableCollections
|
|||
end
|
||||
|
||||
def set_sort_order_from_cookie
|
||||
cookies[remember_sorting_key] = params[:sort] if params[:sort].present?
|
||||
sort_param = params[:sort] if params[:sort].present?
|
||||
# fallback to legacy cookie value for backward compatibility
|
||||
cookies[remember_sorting_key] ||= cookies['issuable_sort']
|
||||
cookies[remember_sorting_key] = update_cookie_value(cookies[remember_sorting_key])
|
||||
params[:sort] = cookies[remember_sorting_key]
|
||||
sort_param ||= cookies['issuable_sort']
|
||||
sort_param ||= cookies[remember_sorting_key]
|
||||
|
||||
sort_value = update_cookie_value(sort_param)
|
||||
set_secure_cookie(remember_sorting_key, sort_value)
|
||||
params[:sort] = sort_value
|
||||
end
|
||||
|
||||
def remember_sorting_key
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
class Projects::ApplicationController < ApplicationController
|
||||
include CookiesHelper
|
||||
include RoutableActions
|
||||
include ChecksCollaboration
|
||||
|
||||
|
|
@ -74,7 +75,7 @@ class Projects::ApplicationController < ApplicationController
|
|||
end
|
||||
|
||||
def apply_diff_view_cookie!
|
||||
cookies.permanent[:diff_view] = params.delete(:view) if params[:view].present?
|
||||
set_secure_cookie(:diff_view, params.delete(:view), permanent: true) if params[:view].present?
|
||||
end
|
||||
|
||||
def require_pages_enabled!
|
||||
|
|
|
|||
9
app/helpers/cookies_helper.rb
Normal file
9
app/helpers/cookies_helper.rb
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module CookiesHelper
|
||||
def set_secure_cookie(key, value, httponly: false, permanent: false)
|
||||
cookie_jar = permanent ? cookies.permanent : cookies
|
||||
|
||||
cookie_jar[key] = { value: value, secure: Gitlab.config.gitlab.https, httponly: httponly }
|
||||
end
|
||||
end
|
||||
5
changelogs/unreleased/sh-set-secure-cookies.yml
Normal file
5
changelogs/unreleased/sh-set-secure-cookies.yml
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Set issuable_sort, diff_view, and perf_bar_enabled cookies to secure when possible
|
||||
merge_request: 21442
|
||||
author:
|
||||
type: security
|
||||
|
|
@ -21,6 +21,34 @@ describe IssuableCollections do
|
|||
controller
|
||||
end
|
||||
|
||||
describe '#set_set_order_from_cookie' do
|
||||
describe 'when sort param given' do
|
||||
let(:cookies) { {} }
|
||||
let(:params) { { sort: 'downvotes_asc' } }
|
||||
|
||||
it 'sets the cookie with the right values and flags' do
|
||||
allow(controller).to receive(:cookies).and_return(cookies)
|
||||
|
||||
controller.send(:set_sort_order_from_cookie)
|
||||
|
||||
expect(cookies['issue_sort']).to eq({ value: 'popularity', secure: false, httponly: false })
|
||||
end
|
||||
end
|
||||
|
||||
describe 'when cookie exists' do
|
||||
let(:cookies) { { 'issue_sort' => 'id_asc' } }
|
||||
let(:params) { {} }
|
||||
|
||||
it 'sets the cookie with the right values and flags' do
|
||||
allow(controller).to receive(:cookies).and_return(cookies)
|
||||
|
||||
controller.send(:set_sort_order_from_cookie)
|
||||
|
||||
expect(cookies['issue_sort']).to eq({ value: 'created_asc', secure: false, httponly: false })
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#page_count_for_relation' do
|
||||
let(:params) { { state: 'opened' } }
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue