From b80653bb6aa8518e0a61e85cae4430928078c092 Mon Sep 17 00:00:00 2001 From: Sean McGivern Date: Wed, 5 Apr 2017 22:52:19 +0000 Subject: Merge branch 'open-redirect-host-fix' into 'security' Fix for three open redirect vulns using redirect_to url_for(params.merge))) See merge request !2082 --- spec/controllers/projects/issues_controller_spec.rb | 11 +++++++++++ spec/controllers/projects/merge_requests_controller_spec.rb | 12 ++++++++++++ 2 files changed, 23 insertions(+) (limited to 'spec/controllers/projects') diff --git a/spec/controllers/projects/issues_controller_spec.rb b/spec/controllers/projects/issues_controller_spec.rb index 734966d50b2..d5f1d46bf7f 100644 --- a/spec/controllers/projects/issues_controller_spec.rb +++ b/spec/controllers/projects/issues_controller_spec.rb @@ -83,6 +83,17 @@ describe Projects::IssuesController do expect(assigns(:issues).current_page).to eq(last_page) expect(response).to have_http_status(200) end + + it 'does not redirect to external sites when provided a host field' do + external_host = "www.example.com" + get :index, + namespace_id: project.namespace.to_param, + project_id: project, + page: (last_page + 1).to_param, + host: external_host + + expect(response).to redirect_to(namespace_project_issues_path(page: last_page, state: controller.params[:state], scope: controller.params[:scope])) + end end end diff --git a/spec/controllers/projects/merge_requests_controller_spec.rb b/spec/controllers/projects/merge_requests_controller_spec.rb index 72f41f7209a..99d5583e683 100644 --- a/spec/controllers/projects/merge_requests_controller_spec.rb +++ b/spec/controllers/projects/merge_requests_controller_spec.rb @@ -176,6 +176,18 @@ describe Projects::MergeRequestsController do expect(assigns(:merge_requests).current_page).to eq(last_page) expect(response).to have_http_status(200) end + + it 'does not redirect to external sites when provided a host field' do + external_host = "www.example.com" + get :index, + namespace_id: project.namespace.to_param, + project_id: project, + state: 'opened', + page: (last_page + 1).to_param, + host: external_host + + expect(response).to redirect_to(namespace_project_merge_requests_path(page: last_page, state: controller.params[:state], scope: controller.params[:scope])) + end end context 'when filtering by opened state' do -- cgit v1.2.1 From d687f6436a14c8b36f1a560ee95222bb2d4fb63f Mon Sep 17 00:00:00 2001 From: Sean McGivern Date: Wed, 5 Apr 2017 21:17:49 +0000 Subject: Merge branch 'open-redirect-fix-continue-to' into 'security' Fix for open redirect vuln involving continue[to] params See merge request !2083 --- spec/controllers/projects/imports_controller_spec.rb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'spec/controllers/projects') diff --git a/spec/controllers/projects/imports_controller_spec.rb b/spec/controllers/projects/imports_controller_spec.rb index 7c75815f3c4..6724b474179 100644 --- a/spec/controllers/projects/imports_controller_spec.rb +++ b/spec/controllers/projects/imports_controller_spec.rb @@ -96,12 +96,19 @@ describe Projects::ImportsController do } end - it 'redirects to params[:to]' do + it 'redirects to internal params[:to]' do get :show, namespace_id: project.namespace.to_param, project_id: project, continue: params expect(flash[:notice]).to eq params[:notice] expect(response).to redirect_to params[:to] end + + it 'does not redirect to external params[:to]' do + params[:to] = "//google.com" + + get :show, namespace_id: project.namespace.to_param, project_id: project, continue: params + expect(response).not_to redirect_to params[:to] + end end end -- cgit v1.2.1