disable vcs on org (#1092)

* disable vcs on org

* fix build error

* remove negation

* spec for com & enterprise

* spec for com & enterprise

Author: Tahsin-travis-ci

lib/travis/api/app/endpoint/authorization.rb

@@ -104,7 +104,7 @@ class Authorization < Endpoint
       #
       # * **redirect_uri**: URI to redirect to after handshake.
       get '/handshake/?:provider?' do
-        method = Travis::Features.enabled_for_all?(:vcs_login) ? :vcs_handshake : :handshake
+        method = org? ? :handshake : :vcs_handshake
         params[:provider] ||= 'github'
 
         send(method) do |user, token, redirect_uri|

spec/unit/endpoint/authorization_spec.rb

@@ -40,6 +40,13 @@
   end
 
   describe "GET /auth/handshake" do
+    before do
+      ENV['TRAVIS_SITE'] = 'org'
+    end
+    after do
+      ENV['TRAVIS_SITE'] = nil
+    end
+    
     describe 'evil hackers messing with the state' do
       it 'does not succeed if state cookie mismatches' do
         Travis.redis.sadd('github:states', 'github-state')
@@ -50,7 +57,7 @@
       end
     end
 
-    describe 'evil hackers messing with redirection' do
+    describe 'On org, evil hackers messing with redirection' do
       before do
         WebMock.stub_request(:post, "https://foobar.com/access_token_path")
           .to_return(status: 200, body: 'access_token=token&token_type=bearer')
@@ -109,6 +116,66 @@
       end
     end
 
+    describe 'On com and enterprise, evil hackers messing with redirection' do
+      before do
+        WebMock.stub_request(:post, "https://foobar.com/access_token_path")
+          .to_return(status: 200, body: 'access_token=token&token_type=bearer')
+
+        WebMock.stub_request(:get, "https://api.github.com/user?per_page=100")
+          .to_return(
+            status: 200,
+            body: JSON.dump(name: 'Piotr Sarnacki', login: 'drogus', gravatar_id: '123', id: 456, foo: 'bar'), headers: {'X-OAuth-Scopes' => 'repo, user, new_scope'}
+          )
+
+        cookie_jar['travis.state-github'] = state
+        Travis.redis.sadd('github:states', state)
+        ENV['TRAVIS_SITE'] = nil
+      end
+
+      after do
+        Travis.redis.srem('github:states', state)
+      end
+
+      context 'when redirect uri is correct' do
+        let(:state) { 'github-state:::https://travis-ci.com/?any=params' }
+
+        it 'it does allow redirect' do
+          response = get "/auth/handshake/github?code=1234&state=#{URI.encode(state)}"
+          expect(response.status).to eq(200)
+        end
+      end
+
+      context 'when redirect uri is not allowed' do
+        let(:state) { 'github-state:::https://dark-corner-of-web.com/' }
+
+        it 'does not allow redirect' do
+          response = get "/auth/handshake/github?code=1234&state=#{URI.encode(state)}"
+          expect(response.status).to eq(401)
+          expect(response.body).to eq("target URI not allowed")
+        end
+      end
+
+      context 'when script tag is injected into redirect uri' do
+        let(:state) { 'github-state:::https://travis-ci.com/<sCrIpt' }
+
+        it 'does not allow redirect' do
+          response = get "/auth/handshake/github?code=1234&state=#{URI.encode(state)}"
+          expect(response.status).to eq(401)
+          expect(response.body).to eq("target URI not allowed")
+        end
+      end
+
+      context 'when onerror tag is injected into redirect uri' do
+        let(:state) { 'github-state:::https://travis-ci.com/<img% src="" onerror="badcode()"' }
+
+        it 'does not allow redirect' do
+          response = get "/auth/handshake/github?code=1234&state=#{URI.encode(state)}"
+          expect(response.status).to eq(401)
+          expect(response.body).to eq("target URI not allowed")
+        end
+      end
+    end
+
     describe 'with insufficient oauth permissions' do
       before do
         Travis.redis.sadd('github:states', 'github-state')