Validate session key when authorizing with GCP to create a cluster

It was previously possible to link a GCP account to another user's GitLab account by having them visit the callback URL, as there was no check that they were the initiator of the request. We now reject the callback unless the state parameter matches the one added to the initiating user's session.

Validate session key when authorizing with GCP to create a cluster
It was previously possible to link a GCP account to another user's GitLab account by having them visit the callback URL, as there was no check that they were the initiator of the request. We now reject the callback unless the state parameter matches the one added to the initiating user's session.
fc8c1a77 · Tiger · 0f20c401 · fc8c1a77 · fc8c1a77 · fc8c1a77
Commit fc8c1a77 authored Feb 13, 2019 by Tiger
3 changed files
--- a/app/controllers/google_api/authorizations_controller.rb
+++ b/app/controllers/google_api/authorizations_controller.rb
@@ -2,6 +2,10 @@
 module GoogleApi
  class AuthorizationsController < ApplicationController
+    include Gitlab::Utils::StrongMemoize
+    before_action :validate_session_key!
    def callback
      token, expires_at = GoogleApi::CloudPlatform::Client
        .new(nil, callback_google_api_auth_url)
@@ -11,21 +15,27 @@ module GoogleApi
      session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at] =
        expires_at.to_s
-      state_redirect_uri = redirect_uri_from_session_key(params[:state])
+      redirect_to redirect_uri_from_session
+    end
+    private
+    def validate_session_key!
+      access_denied! unless redirect_uri_from_session.present?
+    end
-      if state_redirect_uri
+    def redirect_uri_from_session
-        redirect_to state_redirect_uri
+      strong_memoize(:redirect_uri_from_session) do
+        if params[:state].present?
+          session[session_key_for_redirect_uri(params[:state])]
        else
-        redirect_to root_path
+          nil
+        end
      end
    end
-    private
+    def session_key_for_redirect_uri(state)
+      GoogleApi::CloudPlatform::Client.session_key_for_redirect_uri(state)
-    def redirect_uri_from_session_key(state)
-      key = GoogleApi::CloudPlatform::Client
-        .session_key_for_redirect_uri(params[:state])
-      session[key] if key
    end
  end
 end
--- a/changelogs/unreleased/security-kubernetes-google-login-csrf.yml
+++ b/changelogs/unreleased/security-kubernetes-google-login-csrf.yml
+---
+title: Validate session key when authorizing with GCP to create a cluster
+merge_request:
+author:
+type: security
--- a/spec/controllers/google_api/authorizations_controller_spec.rb
+++ b/spec/controllers/google_api/authorizations_controller_spec.rb
@@ -6,7 +6,7 @@ describe GoogleApi::AuthorizationsController do
    let(:token) { 'token' }
    let(:expires_at) { 1.hour.since.strftime('%s') }
-    subject { get :callback, params: { code: 'xxx', state: @state } }
+    subject { get :callback, params: { code: 'xxx', state: state } }
    before do
      sign_in(user)
@@ -15,24 +15,33 @@ describe GoogleApi::AuthorizationsController do
        .to receive(:get_token).and_return([token, expires_at])
    end
-    it 'sets token and expires_at in session' do
+    shared_examples_for 'access denied' do
+      it 'returns a 404' do
        subject
-      expect(session[GoogleApi::CloudPlatform::Client.session_key_for_token])
+        expect(session[GoogleApi::CloudPlatform::Client.session_key_for_token]).to be_nil
-        .to eq(token)
+        expect(response).to have_http_status(:not_found)
-      expect(session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at])
+      end
-        .to eq(expires_at)
    end
-    context 'when redirect uri key is stored in state' do
+    context 'session key is present' do
-      set(:project) { create(:project) }
+      let(:session_key) { 'session-key' }
-      let(:redirect_uri) { project_clusters_url(project).to_s }
+      let(:redirect_uri) { 'example.com' }
      before do
-        @state = GoogleApi::CloudPlatform::Client
+        session[GoogleApi::CloudPlatform::Client.session_key_for_redirect_uri(session_key)] = redirect_uri
-          .new_session_key_for_redirect_uri do |key|
-          session[key] = redirect_uri
      end
+      context 'session key matches state param' do
+        let(:state) { session_key }
+        it 'sets token and expires_at in session' do
+          subject
+          expect(session[GoogleApi::CloudPlatform::Client.session_key_for_token])
+            .to eq(token)
+          expect(session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at])
+            .to eq(expires_at)
        end
        it 'redirects to the URL stored in state param' do
@@ -40,10 +49,23 @@ describe GoogleApi::AuthorizationsController do
        end
      end
-    context 'when redirection url is not stored in state' do
+      context 'session key does not match state param' do
-      it 'redirects to root_path' do
+        let(:state) { 'bad-key' }
-        expect(subject).to redirect_to(root_path)
+        it_behaves_like 'access denied'
      end
+      context 'state param is blank' do
+        let(:state) { '' }
+        it_behaves_like 'access denied'
+      end
+    end
+    context 'state param is present, but session key is blank' do
+      let(:state) { 'session-key' }
+      it_behaves_like 'access denied'
    end
  end
 end