Commit 571ba5a7 authored by Douwe Maan's avatar Douwe Maan

Protect OmniAuth request phase against CSRF.

parent 62117f2f
......@@ -14,7 +14,7 @@ v 7.11.0 (unreleased)
- Add project activity atom feed.
- Don't crash when an MR from a fork has a cross-reference comment from the target project on of its commits.
- Include commit comments in MR from a forked project.
-
- Protect OmniAuth request phase against CSRF.
-
-
- Move snippets UI to fluid layout
......
......@@ -23,7 +23,7 @@ gem "pg", group: :postgres
# Auth
gem "devise", '3.2.4'
gem "devise-async", '0.9.0'
gem 'omniauth', "~> 1.1.3"
gem 'omniauth', "~> 1.2.2"
gem 'omniauth-google-oauth2'
gem 'omniauth-twitter'
gem 'omniauth-github'
......
......@@ -354,9 +354,9 @@ GEM
rack (~> 1.2)
octokit (3.7.0)
sawyer (~> 0.6.0, >= 0.5.3)
omniauth (1.1.4)
hashie (>= 1.2, < 3)
rack
omniauth (1.2.2)
hashie (>= 1.2, < 4)
rack (~> 1.0)
omniauth-bitbucket (0.0.2)
multi_json (~> 1.7)
omniauth (~> 1.1)
......@@ -734,7 +734,7 @@ DEPENDENCIES
newrelic_rpm
nprogress-rails
octokit (= 3.7.0)
omniauth (~> 1.1.3)
omniauth (~> 1.2.2)
omniauth-bitbucket
omniauth-github
omniauth-gitlab
......
......@@ -5,6 +5,6 @@
- providers.each do |provider|
%span.light
- if default_providers.include?(provider)
= link_to oauth_image_tag(provider), omniauth_authorize_path(resource_name, provider), class: 'oauth-image-link'
= link_to oauth_image_tag(provider), omniauth_authorize_path(resource_name, provider), method: :post, class: 'oauth-image-link'
- else
= link_to provider.to_s.titleize, omniauth_authorize_path(resource_name, provider), class: "btn", "data-no-turbolink" => "true"
= link_to provider.to_s.titleize, omniauth_authorize_path(resource_name, provider), method: :post, class: "btn", "data-no-turbolink" => "true"
......@@ -34,7 +34,7 @@
- enabled_social_providers.each do |provider|
.btn-group
= link_to oauth_image_tag(provider), omniauth_authorize_path(User, provider),
class: "btn btn-lg #{'active' if oauth_active?(provider)}"
method: :post, class: "btn btn-lg #{'active' if oauth_active?(provider)}"
- if oauth_active?(provider)
= link_to unlink_profile_account_path(provider: provider), method: :delete, class: 'btn btn-lg' do
%i.fa.fa-close
......
......@@ -10,3 +10,8 @@ if Gitlab::LDAP::Config.enabled?
alias_method server['provider_name'], :ldap
end
end
OmniAuth.config.allowed_request_methods = [:post]
OmniAuth.config.before_request_phase do |env|
OmniAuth::RequestForgeryProtection.new(env).call
end
# Protects OmniAuth request phase against CSRF.
module OmniAuth
# Based from ActionController::RequestForgeryProtection.
class RequestForgeryProtection
def initialize(env)
@env = env
end
def request
@request ||= ActionDispatch::Request.new(@env)
end
def session
request.session
end
def params
request.params
end
def call
verify_authenticity_token
end
def verify_authenticity_token
if !verified_request?
Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger
handle_unverified_request
end
end
private
def protect_against_forgery?
ApplicationController.allow_forgery_protection
end
def request_forgery_protection_token
ApplicationController.request_forgery_protection_token
end
def forgery_protection_strategy
ApplicationController.forgery_protection_strategy
end
def verified_request?
!protect_against_forgery? || request.get? || request.head? ||
form_authenticity_token == params[request_forgery_protection_token] ||
form_authenticity_token == request.headers['X-CSRF-Token']
end
def handle_unverified_request
forgery_protection_strategy.new(self).handle_unverified_request
end
# Sets the token value for the current session.
def form_authenticity_token
session[:_csrf_token] ||= SecureRandom.base64(32)
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment