Merge branch 'open-redirect-fix-continue-to' into 'security'

Fix for open redirect vuln involving continue[to] params See merge request !2083
2017-04-05 21:17:49 +00:00 · 2017-04-05 21:17:49 +00:00 · d687f6436a
parent b80653bb6a
commit d687f6436a
3 changed files with 13 additions and 1 deletions
--- a/app/controllers/concerns/continue_params.rb
+++ b/app/controllers/concerns/continue_params.rb
@ -7,6 +7,7 @@ module ContinueParams

    continue_params = continue_params.permit(:to, :notice, :notice_now)
    return unless continue_params[:to] && continue_params[:to].start_with?('/')
+    return if continue_params[:to].start_with?('//')

    continue_params
  end
--- a/changelogs/unreleased/open-redirect-continue-params.yml
+++ b/changelogs/unreleased/open-redirect-continue-params.yml
@ -0,0 +1,4 @@
+---
+title: Fix for open redirect vulnerability using continue[to] in URL when requesting project import status.
+merge_request: 
+author:
--- a/spec/controllers/projects/imports_controller_spec.rb
+++ b/spec/controllers/projects/imports_controller_spec.rb
@ -96,12 +96,19 @@ describe Projects::ImportsController do
            }
          end

-          it 'redirects to params[:to]' do
+          it 'redirects to internal params[:to]' do
            get :show, namespace_id: project.namespace.to_param, project_id: project, continue: params

            expect(flash[:notice]).to eq params[:notice]
            expect(response).to redirect_to params[:to]
          end
+
+          it 'does not redirect to external params[:to]' do
+            params[:to] = "//google.com"
+
+            get :show, namespace_id: project.namespace.to_param, project_id: project, continue: params
+            expect(response).not_to redirect_to params[:to]
+          end
        end
      end