diff options
| author | Shinya Maeda <shinya@gitlab.com> | 2017-10-06 21:28:40 +0900 |
|---|---|---|
| committer | Shinya Maeda <shinya@gitlab.com> | 2017-10-06 21:28:40 +0900 |
| commit | f293288589f24e1928b57dcd3428b762ae9ced79 (patch) | |
| tree | d54b6425ac0fe596e27d3cbe291e08f28b10267b /spec/controllers/google_api | |
| parent | 5ced761ebdcb0579377e338c2e321e4ba0373336 (diff) | |
| download | gitlab-ce-f293288589f24e1928b57dcd3428b762ae9ced79.tar.gz | |
Security fix: redirection in google_api/authorizations_controller
Diffstat (limited to 'spec/controllers/google_api')
| -rw-r--r-- | spec/controllers/google_api/authorizations_controller_spec.rb | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/spec/controllers/google_api/authorizations_controller_spec.rb b/spec/controllers/google_api/authorizations_controller_spec.rb index 64c16af582f..5413f20c83c 100644 --- a/spec/controllers/google_api/authorizations_controller_spec.rb +++ b/spec/controllers/google_api/authorizations_controller_spec.rb @@ -3,12 +3,10 @@ require 'spec_helper' describe GoogleApi::AuthorizationsController do describe 'GET|POST #callback' do let(:user) { create(:user) } - let(:project) { create(:project) } - let(:state) { project_clusters_url(project).to_s } let(:token) { 'token' } let(:expires_at) { 1.hour.since.strftime('%s') } - subject { get :callback, code: 'xxx', state: state } + subject { get :callback, code: 'xxx', state: @state } before do sign_in(user) @@ -17,7 +15,7 @@ describe GoogleApi::AuthorizationsController do .to receive(:get_token).and_return([token, expires_at]) end - it 'sets token and expires_atin session' do + it 'sets token and expires_at in session' do subject expect(session[GoogleApi::CloudPlatform::Client.session_key_for_token]) @@ -26,15 +24,24 @@ describe GoogleApi::AuthorizationsController do .to eq(expires_at) end - context 'when redirection url is stored in state' do + context 'when second redirection url key is stored in state' do + set(:project) { create(:project) } + let(:second_redirect_uri) { namespace_project_clusters_url(project.namespace, project).to_s } # TODO: revrt + + before do + GoogleApi::CloudPlatform::Client + .session_key_for_second_redirect_uri.tap do |key, secure| + @state = secure + session[key] = second_redirect_uri + end + end + it 'redirects to the URL stored in state param' do - expect(subject).to redirect_to(state) + expect(subject).to redirect_to(second_redirect_uri) end end context 'when redirection url is not stored in state' do - let(:state) { '' } - it 'redirects to root_path' do expect(subject).to redirect_to(root_path) end |