88f2e9615c
To prevent an OAuth2 covert redirect vulnerability, this commit adds and uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the following paths: GitHub: /users/auth/-/import/github Bitbucket: /users/auth/-/import/bitbucket This allows admins to put a more restrictive callback URL in the OAuth2 configuration settings. Instead of https://example.com, admins can now use: https://example.com/users/auth It's possible but not trivial to change Devise and OmniAuth to use a different prefix for callback URLs instead of /users/auth. For now, aliasing the import URLs under the /users/auth namespace should suffice. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
63 lines
1.9 KiB
Ruby
63 lines
1.9 KiB
Ruby
require 'spec_helper'
|
|
|
|
describe Import::GithubController do
|
|
include ImportSpecHelper
|
|
|
|
let(:provider) { :github }
|
|
|
|
include_context 'a GitHub-ish import controller'
|
|
|
|
describe "GET new" do
|
|
it_behaves_like 'a GitHub-ish import controller: GET new'
|
|
|
|
it "redirects to GitHub for an access token if logged in with GitHub" do
|
|
allow(controller).to receive(:logged_in_with_provider?).and_return(true)
|
|
expect(controller).to receive(:go_to_provider_for_permissions).and_call_original
|
|
allow_any_instance_of(Gitlab::LegacyGithubImport::Client)
|
|
.to receive(:authorize_url)
|
|
.with(users_import_github_callback_url)
|
|
.and_call_original
|
|
|
|
get :new
|
|
|
|
expect(response).to have_http_status(302)
|
|
end
|
|
|
|
it "prompts for an access token if GitHub not configured" do
|
|
allow(controller).to receive(:github_import_configured?).and_return(false)
|
|
expect(controller).not_to receive(:go_to_provider_for_permissions)
|
|
|
|
get :new
|
|
|
|
expect(response).to have_http_status(200)
|
|
end
|
|
end
|
|
|
|
describe "GET callback" do
|
|
it "updates access token" do
|
|
token = "asdasd12345"
|
|
allow_any_instance_of(Gitlab::LegacyGithubImport::Client)
|
|
.to receive(:get_token).and_return(token)
|
|
allow_any_instance_of(Gitlab::LegacyGithubImport::Client)
|
|
.to receive(:github_options).and_return({})
|
|
stub_omniauth_provider('github')
|
|
|
|
get :callback
|
|
|
|
expect(session[:github_access_token]).to eq(token)
|
|
expect(controller).to redirect_to(status_import_github_url)
|
|
end
|
|
end
|
|
|
|
describe "POST personal_access_token" do
|
|
it_behaves_like 'a GitHub-ish import controller: POST personal_access_token'
|
|
end
|
|
|
|
describe "GET status" do
|
|
it_behaves_like 'a GitHub-ish import controller: GET status'
|
|
end
|
|
|
|
describe "POST create" do
|
|
it_behaves_like 'a GitHub-ish import controller: POST create'
|
|
end
|
|
end
|