Handles leading and trailing slashes correctly on return_to path

5d4f78ab · Douglas Barbosa Alexandre · cded1917 · 5d4f78ab · 5d4f78ab · 5d4f78ab
Commit 5d4f78ab authored Nov 06, 2018 by Douglas Barbosa Alexandre
3 changed files
--- a/ee/app/services/oauth2/logout_token_validation_service.rb
+++ b/ee/app/services/oauth2/logout_token_validation_service.rb
@@ -27,6 +27,8 @@ module Oauth2

        if logout_token&.is_utf8?
          Doorkeeper::AccessToken.by_token(logout_token)
+        else
+          nil
        end
      end
    end
@@ -37,7 +39,7 @@ module Oauth2

    def user_return_to
      full_path = oauth_session.get_oauth_state_return_to_full_path
-      URI.join(geo_node_url, full_path).to_s
+      Gitlab::Utils.append_path(geo_node_url, full_path)
    end

    def geo_node_url

--- a/ee/lib/gitlab/geo/oauth_session.rb
+++ b/ee/lib/gitlab/geo/oauth_session.rb
@@ -132,7 +132,13 @@ module Gitlab

        def full_path
          uri = parse_uri(location)
-          full_path_for_uri(uri) if uri
+
+          if uri
+            path = remove_domain_from_uri(uri)
+            path = add_fragment_back_to_path(uri, path)
+
+            path
+          end
        end

        private
@@ -140,14 +146,17 @@ module Gitlab
        attr_reader :location

        def parse_uri(location)
-          location && URI.parse(location)
+          location && URI.parse(location.sub(/\A\/\/+/, '/'))
        rescue URI::InvalidURIError
          nil
        end

-        def full_path_for_uri(uri)
-          path_with_query = [uri.path, uri.query].compact.join('?')
-          [path_with_query, uri.fragment].compact.join("#")
+        def remove_domain_from_uri(uri)
+          [uri.path.sub(/\A\/+/, '/'), uri.query].compact.join('?')
+        end
+
+        def add_fragment_back_to_path(uri, path)
+          [path, uri.fragment].compact.join('#')
        end
      end


--- a/ee/spec/services/oauth2/logout_token_validation_service_spec.rb
+++ b/ee/spec/services/oauth2/logout_token_validation_service_spec.rb
@@ -70,7 +70,7 @@ describe Oauth2::LogoutTokenValidationService do
        it 'returns the fullpath to the Geo node to redirect the user back' do
          result = described_class.new(user, state: logout_state).execute

-          expect(result).to include(return_to: URI.join(node.url, oauth_return_to).to_s)
+          expect(result).to include(return_to: "#{node.url.chomp('/')}/project/test")
        end

        it 'replaces the host with the Geo node associated with OAuth application' do
@@ -80,7 +80,17 @@ describe Oauth2::LogoutTokenValidationService do

          result = described_class.new(user, state: logout_state).execute

-          expect(result).to include(return_to: URI.join(node.url, '/project/test').to_s)
+          expect(result).to include(return_to: "#{node.url.chomp('/')}/project/test")
+        end
+
+        it 'handles leading and trailing slashes correctly on return_to path' do
+          oauth_return_to = '//project/test'
+          oauth_session = Gitlab::Geo::OauthSession.new(access_token: access_token.token, return_to: oauth_return_to)
+          logout_state = oauth_session.generate_logout_state
+
+          result = described_class.new(user, state: logout_state).execute
+
+          expect(result).to include(return_to: "#{node.url.chomp('/')}/project/test")
        end
      end
    end