Commit 18ebc188 authored by José Iván Vargas López's avatar José Iván Vargas López Committed by Jose Vargas

Merge branch 'security-fj-missing-csrf-system-hooks-resend-11-1' into 'security-11-1'

[11.1] Missing CSRF in System Hooks resend action

See merge request gitlab/gitlabhq!2477
parent ebcd24f3
...@@ -4,7 +4,6 @@ ...@@ -4,7 +4,6 @@
%hr %hr
= link_to 'Resend Request', retry_admin_hook_hook_log_path(@hook, @hook_log), class: "btn btn-default float-right prepend-left-10" = link_to 'Resend Request', retry_admin_hook_hook_log_path(@hook, @hook_log), method: :post, class: "btn btn-default float-right prepend-left-10"
= render partial: 'shared/hook_logs/content', locals: { hook_log: @hook_log } = render partial: 'shared/hook_logs/content', locals: { hook_log: @hook_log }
...@@ -4,6 +4,6 @@ ...@@ -4,6 +4,6 @@
Request details Request details
.col-lg-9 .col-lg-9
= link_to 'Resend Request', retry_project_hook_hook_log_path(@project, @hook, @hook_log), class: "btn btn-default float-right prepend-left-10" = link_to 'Resend Request', retry_project_hook_hook_log_path(@project, @hook, @hook_log), method: :post, class: "btn btn-default float-right prepend-left-10"
= render partial: 'shared/hook_logs/content', locals: { hook_log: @hook_log } = render partial: 'shared/hook_logs/content', locals: { hook_log: @hook_log }
---
title: Adding CSRF protection to Hooks resend action
merge_request:
author:
type: security
...@@ -59,7 +59,7 @@ namespace :admin do ...@@ -59,7 +59,7 @@ namespace :admin do
resources :hook_logs, only: [:show] do resources :hook_logs, only: [:show] do
member do member do
get :retry post :retry
end end
end end
end end
......
...@@ -306,7 +306,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do ...@@ -306,7 +306,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
resources :hook_logs, only: [:show] do resources :hook_logs, only: [:show] do
member do member do
get :retry post :retry
end end
end end
end end
......
...@@ -103,11 +103,11 @@ describe Admin::HooksController, "routing" do ...@@ -103,11 +103,11 @@ describe Admin::HooksController, "routing" do
end end
end end
# admin_hook_hook_log_retry GET /admin/hooks/:hook_id/hook_logs/:id/retry(.:format) admin/hook_logs#retry # admin_hook_hook_log_retry POST /admin/hooks/:hook_id/hook_logs/:id/retry(.:format) admin/hook_logs#retry
# admin_hook_hook_log GET /admin/hooks/:hook_id/hook_logs/:id(.:format) admin/hook_logs#show # admin_hook_hook_log GET /admin/hooks/:hook_id/hook_logs/:id(.:format) admin/hook_logs#show
describe Admin::HookLogsController, 'routing' do describe Admin::HookLogsController, 'routing' do
it 'to #retry' do it 'to #retry' do
expect(get('/admin/hooks/1/hook_logs/1/retry')).to route_to('admin/hook_logs#retry', hook_id: '1', id: '1') expect(post('/admin/hooks/1/hook_logs/1/retry')).to route_to('admin/hook_logs#retry', hook_id: '1', id: '1')
end end
it 'to #show' do it 'to #show' do
......
...@@ -381,7 +381,7 @@ describe 'project routing' do ...@@ -381,7 +381,7 @@ describe 'project routing' do
end end
end end
# test_project_hook GET /:project_id/hooks/:id/test(.:format) hooks#test # test_project_hook POST /:project_id/hooks/:id/test(.:format) hooks#test
# project_hooks GET /:project_id/hooks(.:format) hooks#index # project_hooks GET /:project_id/hooks(.:format) hooks#index
# POST /:project_id/hooks(.:format) hooks#create # POST /:project_id/hooks(.:format) hooks#create
# edit_project_hook GET /:project_id/hooks/:id/edit(.:format) hooks#edit # edit_project_hook GET /:project_id/hooks/:id/edit(.:format) hooks#edit
...@@ -398,11 +398,11 @@ describe 'project routing' do ...@@ -398,11 +398,11 @@ describe 'project routing' do
end end
end end
# retry_namespace_project_hook_hook_log GET /:project_id/hooks/:hook_id/hook_logs/:id/retry(.:format) projects/hook_logs#retry # retry_namespace_project_hook_hook_log POST /:project_id/hooks/:hook_id/hook_logs/:id/retry(.:format) projects/hook_logs#retry
# namespace_project_hook_hook_log GET /:project_id/hooks/:hook_id/hook_logs/:id(.:format) projects/hook_logs#show # namespace_project_hook_hook_log GET /:project_id/hooks/:hook_id/hook_logs/:id(.:format) projects/hook_logs#show
describe Projects::HookLogsController, 'routing' do describe Projects::HookLogsController, 'routing' do
it 'to #retry' do it 'to #retry' do
expect(get('/gitlab/gitlabhq/hooks/1/hook_logs/1/retry')).to route_to('projects/hook_logs#retry', namespace_id: 'gitlab', project_id: 'gitlabhq', hook_id: '1', id: '1') expect(post('/gitlab/gitlabhq/hooks/1/hook_logs/1/retry')).to route_to('projects/hook_logs#retry', namespace_id: 'gitlab', project_id: 'gitlabhq', hook_id: '1', id: '1')
end end
it 'to #show' do it 'to #show' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment