Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee

9141b9ce · GitLab Bot · 88725a6b · 9141b9ce · 9141b9ce · 9141b9ce
Commit 9141b9ce authored Apr 27, 2020 by GitLab Bot
4 changed files
--- a/app/controllers/oauth/authorized_applications_controller.rb
+++ b/app/controllers/oauth/authorized_applications_controller.rb
@@ -5,6 +5,13 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio

  layout 'profile'

+  def index
+    respond_to do |format|
+      format.html { render "errors/not_found", layout: "errors", status: :not_found }
+      format.json { render json: "", status: :not_found }
+    end
+  end
+
  def destroy
    if params[:token_id].present?
      current_resource_owner.oauth_authorized_tokens.find(params[:token_id]).revoke

--- a/changelogs/unreleased/security-file-template-project.yml
+++ b/changelogs/unreleased/security-file-template-project.yml
+---
+title: Do not return private project ID without permission
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-fix-CVE-2020-10187.yml
+++ b/changelogs/unreleased/security-fix-CVE-2020-10187.yml
+---
+title: Fix doorkeeper CVE-2020-10187
+merge_request:
+author:
+type: security
--- a/spec/controllers/oauth/authorized_applications_controller_spec.rb
+++ b/spec/controllers/oauth/authorized_applications_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Oauth::AuthorizedApplicationsController do
+  let(:user) { create(:user) }
+  let(:guest) { create(:user) }
+  let(:application) { create(:oauth_application, owner: guest) }
+
+  before do
+    sign_in(user)
+  end
+
+  describe 'GET #index' do
+    it 'responds with 404' do
+      get :index
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+  end
+end