Commit 90aa9f5e authored by Josianne Hyson's avatar Josianne Hyson Committed by Paul Slaughter

Update doorkeeper to 4.4.3

Updates the doorkeeper gem to 4.4.3 so that we can address security
issue CVE-2018-1000211.

This issue involves token revocation not working for public apps.
parent 33780dd6
......@@ -26,7 +26,7 @@ gem 'marginalia', '~> 1.8.0'
# Authentication libraries
gem 'devise', '~> 4.6'
gem 'doorkeeper', '~> 4.3'
gem 'doorkeeper', '~> 4.4.3'
gem 'doorkeeper-openid_connect', '~> 1.5'
gem 'omniauth', '~> 1.8'
gem 'omniauth-auth0', '~> 2.0.0'
......@@ -231,7 +231,7 @@ GEM
docile (1.3.1)
domain_name (0.5.20180417)
unf (>= 0.0.5, < 1.0.0)
doorkeeper (4.3.2)
doorkeeper (4.4.3)
railties (>= 4.2)
doorkeeper-openid_connect (1.5.0)
doorkeeper (~> 4.3)
......@@ -1180,7 +1180,7 @@ DEPENDENCIES
diff_match_patch (~> 0.1.0)
diffy (~> 3.1.0)
discordrb-webhooks-blackst0ne (~> 3.3)
doorkeeper (~> 4.3)
doorkeeper (~> 4.4.3)
doorkeeper-openid_connect (~> 1.5)
ed25519 (~> 1.2)
elasticsearch-api (~> 6.8)
......@@ -55,6 +55,8 @@ class Admin::ApplicationsController < Admin::ApplicationController
# Only allow a trusted parameter "white list" through.
def application_params
params.require(:doorkeeper_application).permit(:name, :redirect_uri, :trusted, :scopes)
.permit(:name, :redirect_uri, :trusted, :scopes, :confidential)
......@@ -30,6 +30,14 @@
Trusted applications are automatically authorized on GitLab OAuth flow.
= content_tag :div, class: 'form-group row' do
= f.label :confidential
= f.check_box :confidential
= _('The application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential.')
= f.label :scopes
......@@ -12,6 +12,7 @@
%th Callback URL
%th Clients
%th Trusted
%th Confidential
......@@ -21,6 +22,7 @@
%td= application.redirect_uri
%td= @application_counts[].to_i
%td= application.trusted? ? 'Y': 'N'
%td= application.confidential? ? 'Y': 'N'
%td= link_to 'Edit', edit_admin_application_path(application), class: 'btn btn-link'
%td= render 'delete_form', application: application
= paginate @applications, theme: 'gitlab'
......@@ -36,6 +36,12 @@
= @application.trusted? ? 'Y' : 'N'
= @application.confidential? ? 'Y' : 'N'
= render "shared/tokens/scopes_list", token: @application
......@@ -15,6 +15,12 @@
= _('Use <code>%{native_redirect_uri}</code> for local tests').html_safe % { native_redirect_uri: Doorkeeper.configuration.native_redirect_uri }
= f.check_box :confidential, class: 'form-check-input'
= f.label :confidential, class: 'label-bold form-check-label'
= _('The application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential.')
= f.label :scopes, class: 'label-bold'
= render 'shared/tokens/scopes_form', prefix: 'doorkeeper_application', token: application, scopes: @scopes
......@@ -34,6 +34,12 @@
%span.monospace= uri
= _('Confidential')
= @application.confidential? ? _('Yes') : _('No')
= render "shared/tokens/scopes_list", token: @application
title: Upgrade Doorkeeper to 4.4.3 to address CVE-2018-1000211
merge_request: 20953
type: security
......@@ -118,8 +118,8 @@ end
# app created does not match the complete list of scopes of the configured app.
# It also prevents the OAuth authorize application window to appear every time.
# Remove after we upgrade the doorkeeper gem from version 4.3.2
if Doorkeeper.gem_version >'4.3.2')
# Remove after we upgrade the doorkeeper gem from version 4.x
if Doorkeeper.gem_version >'5.0.0')
raise "Doorkeeper was upgraded, please remove the monkey patch in #{__FILE__}"
# frozen_string_literal: true
class AddConfidentialToDoorkeeperApplication < ActiveRecord::Migration[5.2]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
def up
add_column_with_default( # rubocop:disable Migration/AddColumnWithDefault
default: false, # assume all existing applications are non-confidential
allow_null: false
# set the default to true so that all future applications are confidential by default
change_column_default(:oauth_applications, :confidential, true)
def down
remove_column :oauth_applications, :confidential
......@@ -2853,6 +2853,7 @@ ActiveRecord::Schema.define(version: 2020_01_21_132641) do
t.integer "owner_id"
t.string "owner_type"
t.boolean "trusted", default: false, null: false
t.boolean "confidential", default: true, null: false
t.index ["owner_id", "owner_type"], name: "index_oauth_applications_on_owner_id_and_owner_type"
t.index ["uid"], name: "index_oauth_applications_on_uid", unique: true
......@@ -23,10 +23,11 @@ POST /applications
| Attribute | Type | Required | Description |
| `name` | string | yes | Name of the application. |
| `redirect_uri` | string | yes | Redirect URI of the application. |
| `scopes` | string | yes | Scopes of the application. |
| `confidential` | boolean | no | The application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential. Defaults to `true` if not supplied |
Example request:
......@@ -42,7 +43,8 @@ Example response:
"application_id": "5832fc6e14300a0d962240a8144466eef4ee93ef0d218477e55f11cf12fc3737",
"application_name": "MyApplication",
"secret": "ee1dd64b6adc89cf7e2c23099301ccc2c61b441064e9324d963c46902a85ec34",
"callback_url": "http://redirect.uri"
"callback_url": "http://redirect.uri",
"confidential": true
......@@ -68,7 +70,8 @@ Example response:
"application_id": "5832fc6e14300a0d962240a8144466eef4ee93ef0d218477e55f11cf12fc3737",
"application_name": "MyApplication",
"callback_url": "http://redirect.uri"
"callback_url": "http://redirect.uri",
"confidential": true
......@@ -14,6 +14,9 @@ module API
requires :name, type: String, desc: 'Application name'
requires :redirect_uri, type: String, desc: 'Application redirect URI'
requires :scopes, type: String, desc: 'Application scopes'
optional :confidential, type: Boolean, default: true,
desc: 'Application will be used where the client secret is confidential'
post do
application =
......@@ -1828,6 +1828,7 @@ module API
expose :uid, as: :application_id
expose :name, as: :application_name
expose :redirect_uri, as: :callback_url
expose :confidential
# Use with care, this exposes the secret
......@@ -18420,6 +18420,9 @@ msgstr ""
msgid "The amount of seconds after which a request to get a secondary node status will time out."
msgstr ""
msgid "The application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential."
msgstr ""
msgid "The branch for this project has no active pipeline configuration."
msgstr ""
......@@ -40,7 +40,7 @@ describe Admin::ApplicationsController do
describe 'POST #create' do
it 'creates the application' do
create_params = attributes_for(:application, trusted: true)
create_params = attributes_for(:application, trusted: true, confidential: false)
expect do
post :create, params: { doorkeeper_application: create_params }
......@@ -60,16 +60,34 @@ describe Admin::ApplicationsController do
expect(response).to render_template :new
expect(assigns[:scopes]).to be_kind_of(Doorkeeper::OAuth::Scopes)
context 'when the params are for a confidential application' do
it 'creates a confidential application' do
create_params = attributes_for(:application, confidential: true)
expect do
post :create, params: { doorkeeper_application: create_params } change { Doorkeeper::Application.count }.by(1)
application = Doorkeeper::Application.last
expect(response).to redirect_to(admin_application_path(application))
expect(application).to have_attributes(create_params.except(:uid, :owner_type))
describe 'PATCH #update' do
it 'updates the application' do
patch :update, params: { id:, doorkeeper_application: { redirect_uri: '', trusted: true } }
doorkeeper_params = { redirect_uri: '', trusted: true, confidential: false }
patch :update, params: { id:, doorkeeper_application: doorkeeper_params }
expect(response).to redirect_to(admin_application_path(application))
expect(application).to have_attributes(redirect_uri: '', trusted: true)
.to have_attributes(redirect_uri: '', trusted: true, confidential: false)
it 'renders the application form on errors' do
......@@ -78,5 +96,16 @@ describe Admin::ApplicationsController do
expect(response).to render_template :edit
expect(assigns[:scopes]).to be_kind_of(Doorkeeper::OAuth::Scopes)
context 'when updating the application to be confidential' do
it 'successfully sets the application to confidential' do
doorkeeper_params = { confidential: true }
patch :update, params: { id:, doorkeeper_application: doorkeeper_params }
expect(response).to redirect_to(admin_application_path(application))
expect(application).to be_confidential
......@@ -21,18 +21,21 @@ RSpec.describe 'admin manage applications' do
expect(page).to have_content('Application ID')
expect(page).to have_content('Secret')
expect(page).to have_content('Trusted Y')
expect(page).to have_content('Confidential Y')
click_on 'Edit'
expect(page).to have_content('Edit application')
fill_in :doorkeeper_application_name, with: 'test_changed'
uncheck :doorkeeper_application_trusted
uncheck :doorkeeper_application_confidential
click_on 'Submit'
expect(page).to have_content('test_changed')
expect(page).to have_content('Application ID')
expect(page).to have_content('Secret')
expect(page).to have_content('Trusted N')
expect(page).to have_content('Confidential N')
visit admin_applications_path
page.within '.oauth-applications' do
......@@ -20,16 +20,19 @@ describe 'User manages applications' do
expect(page).to have_content 'Application: test'
expect(page).to have_content 'Application ID'
expect(page).to have_content 'Secret'
expect(page).to have_content 'Confidential Yes'
click_on 'Edit'
expect(page).to have_content 'Edit application'
fill_in :doorkeeper_application_name, with: 'test_changed'
uncheck :doorkeeper_application_confidential
click_on 'Save application'
expect(page).to have_content 'test_changed'
expect(page).to have_content 'Application ID'
expect(page).to have_content 'Secret'
expect(page).to have_content 'Confidential No'
visit applications_profile_path
......@@ -21,6 +21,7 @@ describe API::Applications, :api do
expect(json_response['application_id']).to eq application.uid
expect(json_response['secret']).to eq application.secret
expect(json_response['callback_url']).to eq application.redirect_uri
expect(json_response['confidential']).to eq application.confidential
it 'does not allow creating an application with the wrong redirect_uri format' do
......@@ -72,6 +73,16 @@ describe API::Applications, :api do
expect(json_response).to be_a Hash
expect(json_response['error']).to eq('scopes is missing')
it 'does not allow creating an application with confidential set to nil' do
expect do
post api('/applications', admin_user), params: { name: 'application_name', redirect_uri: 'http://application.url', scopes: '', confidential: nil }
end.not_to change { Doorkeeper::Application.count }
expect(response).to have_gitlab_http_status(400)
expect(json_response).to be_a Hash
expect(json_response['message']['confidential'].first).to eq('is not included in the list')
context 'authorized user without authorization' do
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment