Commit graph

7 commits

Author SHA1 Message Date
Markus Koller
8fd2c08472
Make checks for continue_params more robust
The check for continue_params&.key?(:to) in Projects::ImportsController
caused an exception in redirect_to if this key contained a nil value.

Since url_for won't add any params for an empty hash, we can just return
that in continue_params if params[:continue] isn't present, and simplify
the code in the controllers to check for the values we actually want to
use.
2019-06-25 13:19:29 +02:00
Andrew Newdigate
3288e1a874 Adds the Rubocop ReturnNil cop
This style change enforces `return if ...` instead of
`return nil if ...` to save maintainers a few minor review points
2019-03-06 17:51:56 +02:00
gfyoung
73322a0e55 Enable frozen string in app/controllers/**/*.rb
Enables frozen string for the following:

* app/controllers/*.rb
* app/controllers/admin/**/*.rb
* app/controllers/boards/**/*.rb
* app/controllers/ci/**/*.rb
* app/controllers/concerns/**/*.rb

Partially addresses #47424.
2018-09-18 21:22:45 -07:00
Bob Van Landuyt
39916fdfed Reuses InternalRedirect when possible
`InternalRedirect` prevents Open redirect issues by only allowing
redirection to paths on the same host.

It cleans up any unwanted strings from the path that could point to
another host (fe. //about.gitlab.com/hello). While preserving the
querystring and fragment of the uri.

It is already used by:

- `TermsController`
- `ContinueParams`
  - `ImportsController`
  - `ForksController`
- `SessionsController`: Only for verifying the host in CE. EE allows
   redirecting to a different instance using Geo.
2018-05-04 13:54:43 +02:00
Sean McGivern
d687f6436a Merge branch 'open-redirect-fix-continue-to' into 'security'
Fix for open redirect vuln involving continue[to] params

See merge request !2083
2017-04-05 21:07:26 -07:00
Zeger-Jan van de Weg
5352ec2e21 Fix denting and spec 2016-03-13 13:44:31 +01:00
Zeger-Jan van de Weg
dfb96ed84b ContinueToParams -> ContinueParams 2016-03-13 13:13:19 +01:00
Renamed from app/controllers/concerns/continue_to_params.rb (Browse further)