Merge branch 'open-redirect-fix-continue-to' into 'security'

Fix for open redirect vuln involving continue[to] params See merge request !2083

Merge branch 'open-redirect-fix-continue-to' into 'security'
8fae6a3d · Sean McGivern · DJ Mountney · 191e748c · 8fae6a3d · 8fae6a3d
Commit 8fae6a3d authored 7 years ago by Sean McGivern Committed by DJ Mountney 7 years ago
--- a/app/controllers/concerns/continue_params.rb
+++ b/app/controllers/concerns/continue_params.rb
@@ -7,6 +7,7 @@ module ContinueParams
  
    continue_params = continue_params.permit(:to, :notice, :notice_now)
    return unless continue_params[:to] && continue_params[:to].start_with?('/')
+    return if continue_params[:to].start_with?('//')
  
    continue_params
  end

--- a/changelogs/unreleased/open-redirect-continue-params.yml
+++ b/changelogs/unreleased/open-redirect-continue-params.yml
+---
+title: Fix for open redirect vulnerability using continue[to] in URL when requesting project import status.
+merge_request: 
+author:
--- a/spec/controllers/projects/imports_controller_spec.rb
+++ b/spec/controllers/projects/imports_controller_spec.rb
@@ -96,12 +96,19 @@ describe Projects::ImportsController do
            }
          end
  
-          it 'redirects to params[:to]' do
+          it 'redirects to internal params[:to]' do
            get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, continue: params
  
            expect(flash[:notice]).to eq params[:notice]
            expect(response).to redirect_to params[:to]
          end
+
+          it 'does not redirect to external params[:to]' do
+            params[:to] = "//google.com"
+
+            get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, continue: params
+            expect(response).not_to redirect_to params[:to]
+          end
        end
      end