Fix confirmation redirect to app without `Location` header (#18523)

author Eugen Rochko <eugen@zeonfederated.com>

Thu, 26 May 2022 20:03:54 +0000 (22:03 +0200)

committer single-right-quote <11325618-aescling@users.noreply.gitlab.com>

Fri, 27 May 2022 03:55:21 +0000 (23:55 -0400)
author Eugen Rochko <eugen@zeonfederated.com>
Thu, 26 May 2022 20:03:54 +0000 (22:03 +0200)
committer single-right-quote <11325618-aescling@users.noreply.gitlab.com>
Fri, 27 May 2022 03:55:21 +0000 (23:55 -0400)
diff --git a/app/controllers/auth/confirmations_controller.rb b/app/controllers/auth/confirmations_controller.rb

index 17ad56fa87e1921ee762d3156d42bf7ef26d181b..0817a905ca168bc60268793bf6b4d4e65b171bad 100644 (file)
--- a/app/controllers/auth/confirmations_controller.rb
+++ b/app/controllers/auth/confirmations_controller.rb
@@ -89,7 +89,7 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
  
    def after_confirmation_path_for(_resource_name, user)
      if user.created_by_application && truthy_param?(:redirect_to_app)
-      user.created_by_application.redirect_uri
+      user.created_by_application.confirmation_redirect_uri
      else
        super
      end
diff --git a/app/lib/application_extension.rb b/app/lib/application_extension.rb

index a1fea6430a9fdb661bb37357207845ae46bbb839..d61ec0e6e7f121220c7055122e40453c3401db28 100644 (file)
--- a/app/lib/application_extension.rb
+++ b/app/lib/application_extension.rb
@@ -12,4 +12,8 @@ module ApplicationExtension
    def most_recently_used_access_token
      @most_recently_used_access_token ||= access_tokens.where.not(last_used_at: nil).order(last_used_at: :desc).first
    end
+
+  def confirmation_redirect_uri
+    redirect_uri.lines.first.strip
+  end
  end
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb

index f78db865341679bde035b66ba7a96f86724627fa..84b649f5c1017c2ff59d44aee16e1148f71f83e8 100644 (file)
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -128,6 +128,13 @@ Doorkeeper.configure do
    #
    force_ssl_in_redirect_uri false
  
+  # Specify what redirect URI's you want to block during Application creation.
+  # Any redirect URI is whitelisted by default.
+  #
+  # You can use this option in order to forbid URI's with 'javascript' scheme
+  # for example.
+  forbid_redirect_uri { |uri| %w[data vbscript javascript].include?(uri.scheme.to_s.downcase) }
+
    # Specify what grant flows are enabled in array of Strings. The valid
    # strings and the flows they enable are:
    #
author	Eugen Rochko <eugen@zeonfederated.com>
	Thu, 26 May 2022 20:03:54 +0000 (22:03 +0200)
committer	single-right-quote <11325618-aescling@users.noreply.gitlab.com>
	Fri, 27 May 2022 03:55:21 +0000 (23:55 -0400)
app/controllers/auth/confirmations_controller.rb		patch \| blob \| history
app/lib/application_extension.rb		patch \| blob \| history
config/initializers/doorkeeper.rb		patch \| blob \| history