Merge pull request #1123 from travis-ci/as-state-missmatch

artursmirnov · web-flow · commit c36bb785a745 · 2020-10-19T15:24:17.000+03:00
Fix state mismatch issue
diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
@@ -166,7 +166,8 @@ def handshake
           if params[:code]
             unless state_ok?(params[:state])
               log_with_request_id("[handshake] Handshake failed (state mismatch)")
-              halt 400, 'state mismatch'
+              handle_invalid_response
+              return
             end
 
             endpoint.path          = config[:access_token_path]
@@ -196,7 +197,8 @@ def remote_vcs_user
         def vcs_handshake
           if params[:code]
             unless state_ok?(params[:state], params[:provider])
-              halt 400, 'state mismatch'
+              handle_invalid_response
+              return
             end
 
             vcs_data = remote_vcs_user.authenticate(
@@ -259,6 +261,18 @@ def cookie_name(provider = :github)
 
         # VCS HANDSHAKE END
 
+        def clear_state_cookies
+          response.delete_cookie cookie_name(:github)
+          response.delete_cookie cookie_name(:gitlab)
+          response.delete_cookie cookie_name(:bitbucket)
+          response.delete_cookie cookie_name(:assembla)
+        end
+
+        def handle_invalid_response
+          clear_state_cookies
+          redirect to("https://#{Travis.config.host}/")
+        end
+
         def create_state
           state = SecureRandom.urlsafe_base64(16)
           redis.sadd('github:states', state)
diff --git a/spec/unit/endpoint/authorization_spec.rb b/spec/unit/endpoint/authorization_spec.rb
@@ -48,11 +48,25 @@
     end
     
     describe 'evil hackers messing with the state' do
-      it 'does not succeed if state cookie mismatches' do
+      before do
+        WebMock.stub_request(:post, "https://foobar.com/access_token_path").
+          with(
+            body: "{\"client_id\":\"client-id\",\"scope\":\"public_repo,user:email,new_scope\",\"redirect_uri\":\"http://example.org/auth/handshake\",\"state\":\"github-state\",\"code\":\"oauth-code\",\"client_secret\":\"client-secret\"}",
+            headers: {
+              'Accept' => '*/*',
+              'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
+              'Connection' => 'keep-alive',
+              'Content-Type' => 'application/json',
+              'Keep-Alive' => '30',
+              'User-Agent' => 'Faraday v0.17.3'
+            }).
+          to_return(status: 200, body: "", headers: {})
+      end
+
+      it 'does not succeed if state cookie mismatches (redirects)' do
         Travis.redis.sadd('github:states', 'github-state')
         response = get '/auth/handshake?state=github-state&code=oauth-code'
-        expect(response.status).to eq(400)
-        expect(response.body).to eq("state mismatch")
+        expect(response.status).to eq(302)
         Travis.redis.srem('github:states', 'github-state')
       end
     end
